Description
### 简要描述:
rt.最近流行路人甲。
### 详细说明:
看到
install\index.php
```
<?php
header("Content-type:text/html;charset=utf-8");
include_once('./function.php');
define('ROOT',dirname(dirname(__FILE__)));
$verMsg = 'v3.8';
$s_lang = 'utf-8';
$source_file = "./source/config.ini.php";//源配置文件
$target_file="../Public/Config/config.ini.php"; //目标配置文件。
$lock_file = '../install.lck';//锁定文件
if(file_exists($lock_file)){header('Location:../index.php');}
```
判断 install.lck是否存在。 然而只是做了 header, 并没有exit。 页面只是跳转了,但是后面的代码还是会继续执行的。
攻击者可以 在自己的服务器上开放mysql数据库外联。然后对这个页面post数据
```
step=4&dbhost=远程服务器ip&dbport=端口&dbuser=账户&dbpwd=密码&dbname=数据库名
```
就可以重装这个cms了。
然后使用默认密码进入后台,
/admin.php?s=/Tpl/Update
将模板后缀命名为 php 即可getshell。
[<img src="https://images.seebug.org/upload/201410/280253584cb04426c33138386ef28fc4e3fc223d.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/280253584cb04426c33138386ef28fc4e3fc223d.jpg)
### 漏洞证明:
如上所述。官网就不测试了。
{"type": "seebug", "viewCount": 6, "enchantments": {"score": {"value": 0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.4}, "reporter": "Root", "title": "\u5927\u7c73cms \u66b4\u529bgetshell", "cvelist": [], "bulletinFamily": "exploit", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}, "references": [], "enchantments_done": [], "modified": "2014-10-28T00:00:00", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\nrt.\u6700\u8fd1\u6d41\u884c\u8def\u4eba\u7532\u3002\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u770b\u5230 \ninstall\\index.php\n\n\n```\n<?php\nheader(\"Content-type:text/html;charset=utf-8\");\ninclude_once('./function.php');\ndefine('ROOT',dirname(dirname(__FILE__)));\n$verMsg = 'v3.8';\n$s_lang = 'utf-8';\n$source_file = \"./source/config.ini.php\";//\u6e90\u914d\u7f6e\u6587\u4ef6 \n$target_file=\"../Public/Config/config.ini.php\"; //\u76ee\u6807\u914d\u7f6e\u6587\u4ef6\u3002\n$lock_file = '../install.lck';//\u9501\u5b9a\u6587\u4ef6\nif(file_exists($lock_file)){header('Location:../index.php');}\n```\n\n\n\u5224\u65ad install.lck\u662f\u5426\u5b58\u5728\u3002 \u7136\u800c\u53ea\u662f\u505a\u4e86 header\uff0c \u5e76\u6ca1\u6709exit\u3002 \u9875\u9762\u53ea\u662f\u8df3\u8f6c\u4e86\uff0c\u4f46\u662f\u540e\u9762\u7684\u4ee3\u7801\u8fd8\u662f\u4f1a\u7ee7\u7eed\u6267\u884c\u7684\u3002\n\u653b\u51fb\u8005\u53ef\u4ee5 \u5728\u81ea\u5df1\u7684\u670d\u52a1\u5668\u4e0a\u5f00\u653emysql\u6570\u636e\u5e93\u5916\u8054\u3002\u7136\u540e\u5bf9\u8fd9\u4e2a\u9875\u9762post\u6570\u636e\n\n\n```\nstep=4&dbhost=\u8fdc\u7a0b\u670d\u52a1\u5668ip&dbport=\u7aef\u53e3&dbuser=\u8d26\u6237&dbpwd=\u5bc6\u7801&dbname=\u6570\u636e\u5e93\u540d\n```\n\n\n\u5c31\u53ef\u4ee5\u91cd\u88c5\u8fd9\u4e2acms\u4e86\u3002\n\u7136\u540e\u4f7f\u7528\u9ed8\u8ba4\u5bc6\u7801\u8fdb\u5165\u540e\u53f0\uff0c\n/admin.php?s=/Tpl/Update\n \u5c06\u6a21\u677f\u540e\u7f00\u547d\u540d\u4e3a php \u5373\u53efgetshell\u3002\n \n\n[<img src=\"https://images.seebug.org/upload/201410/280253584cb04426c33138386ef28fc4e3fc223d.jpg\" alt=\"1.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201410/280253584cb04426c33138386ef28fc4e3fc223d.jpg)\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\u5982\u4e0a\u6240\u8ff0\u3002\u5b98\u7f51\u5c31\u4e0d\u6d4b\u8bd5\u4e86\u3002", "href": "https://www.seebug.org/vuldb/ssvid-95297", "id": "SSV:95297", "status": "details", "lastseen": "2017-11-19T13:10:59", "sourceData": "", "published": "2014-10-28T00:00:00", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645348699, "score": 1659785532, "epss": 1678848988}}
{}
大米cms 暴力getshell