2014-05-19: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-08-17: 厂商已经主动忽略漏洞,细节向公众公开
Lost check。
在install/index.php中
if(file_exists("../install/isinstall.lock")){ echo "<script language=\"JavaScript\">alert(\"系统已经安装!如需要重新安装,请手动删除install/isinstall.lock文件后再重新安装\");</script>"; exit(); }
这里是判断了lock了的。。但是在install/install.php中竟然没有判断lock。
define('IN_HICHINA', TRUE);//获取动作参数$action = $_GET['action'];
if($action == "setup"){ //检查参数是否完整 $dbhost = $_GET['dbhost']; $port = $_GET['port']; $dbname = $_GET['dbname']; $dbuser = $_GET['dbuser']; $dbpassword = $_GET['dbpassword']; $tableprefix = $_GET['tableprefix']; $guid = $_GET['guid']; if(!$port) $port = 3306; if ($dbhost && $port && $dbname && $dbuser && $dbpassword && $tableprefix && $guid) { file_put_contents("db.txt", $dbhost.'|'.$port .'|'.$dbname .'|'.$dbuser .'|'.$dbpassword .'|'.$tableprefix.'|'.$guid); $link = mysql_connect($dbhost . ":" . $port, $dbuser, $dbpassword); if($link) { mysql_query("CREATE DATABASE IF NOT EXISTS `".$dbname."`;", $link); mysql_query("SET NAMES 'utf8',character_set_client=binary,sql_mode='';",$link); $link2 = mysql_select_db($dbname, $link); if($link2) { //==========================================================更新进度 file_put_contents('progress.txt', 10); //安装步骤1. 创建数据库结构 $sqlfile = 'B2Bbuilder.sql'; $query = ''; $fp = fopen(dirname(__FILE__).'/' . $sqlfile,'r'); while($mysql=GetNextSQL()) { mysql_query($mysql); } fclose($fp); //--------------------------------- $rurl=$_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; $aurl = explode("/", $rurl); $realurl=''; for($i=0;$i<count($aurl)-2;$i++) $realurl=$realurl.$aurl[$i]."/"; $realurl="http://".$realurl; $realurl=substr($realurl,0,-1); $burl=explode(".",$realurl); $pb=array_shift($burl); $baseurl=str_replace($pb.'.','',$_POST["weburl"]); $baseurl=str_replace('http://','',$_POST["weburl"]); $baseurl=explode('/',$baseurl); $baseurl=$baseurl[0]; if(substr($baseurl,0,3)=='loc'||substr($baseurl,0,3)=='127') mysql_query("update ".$tableprefix."web_config set `value`='' where `index`='baseurl'"); else mysql_query("update ".$tableprefix."web_config set `value`='".$baseurl."' where `index`='baseurl'"); mysql_query("update ".$tableprefix."web_config set `value`='$realurl' where `index`='weburl'"); //写系统配置文件 $rsid=mysql_query("select * from ".$tableprefix."web_config"); $arr=array(); $configs=array(); while($row=mysql_fetch_array($rsid)) { $arr[] = $row; } foreach($arr as $v) { $index=$v['index']; $value=$v['value']; $configs[$index]=$value; } $write_config_con_array=$configs; $write_config_con_str=serialize($write_config_con_array);//将数组序列化后生成字符串 $write_config_con_str='<?php $config = array_merge($config, unserialize(\''.$write_config_con_str.'\'));?>';//生成要写的内容 $cfp=fopen(dirname(__FILE__).'/../config/web_config.php','w'); fwrite($cfp,$write_config_con_str,strlen($write_config_con_str));//将内容写入文件. fclose($cfp); //======================================================更新进度 file_put_contents('progress.txt', 30); /* //安装步骤2. 导入测试数据 $sqlfile = 'data.txt'; $query = ''; $fp = fopen(dirname(__FILE__).'/' . $sqlfile,'r'); while(!feof($fp)) { $line = rtrim(fgets($fp, 1024)); if(preg_match("#;$#", $line)) { $query .= $line; $query = str_replace('{tableprefix}',$tableprefix,$query); $rs = mysql_query($query,$link); $query=''; } else if(!preg_match("#^(\/\/|--)#", $line)) { $query .= $line; } } fclose($fp); */ //更新进度 file_put_contents('progress.txt', 70); //=======================================================安装步骤3. 配置文件修改 $contents='<?php $config[\'dbhost\'] = \''.$dbhost.'\'; //数据库所在IP地址 $config[\'dbuser\'] = \''.$dbuser.'\'; //数据库用户 $config[\'dbpass\'] = \''.$dbpassword.'\'; //数据库密码 $config[\'dbname\'] = \''.$dbname.'\'; //数据库名 $config[\'port\'] = \''.$port.'\'; //端口 $config[\'table_pre\']=\''.$tableprefix.'\'; //数据库表前缀 $config[\'authkey\']=\''.md5(time().rand(0,100000)).'\'; //数据库表前缀 ?>'; $filename = dirname(__FILE__)."/../config/config.inc.php"; $cfp = fopen($filename,'w'); fwrite($cfp,$contents);
这里可以看到直接把一些连接的参数写入到了配置文件当中这里很多都是可控的。首先本地搭建一个mysql环境(不需要拿到网站的mysql权限)。
index.php check lock。
成功getshell。
Check lock
未能联系到厂商或者厂商积极拒绝
