IT博客汇 | phpshe 1.2前台无需登录getshell

phpshe 1.2前台无需登录getshell

admin发表于 2014-07-30 10:01:00

Autor：xfkxfx

Website：http://www.wooyun.org/bugs/wooyun-2014-065479

……………………….上面内容体现了博主的节操……………………………………………………….

存在漏洞的文件install/index.php，整个过程没有判断install.lock，导致可以重复安装，同是在安装的过程中，对配置项没有进行任何处理，导致任意代码写入。详细分析如下：

install/index.php


 * @creatdate     2012-1111 koyshe 
 */
error_reporting(E_ALL ^ E_NOTICE);
date_default_timezone_set('PRC');
header('Content-Type: text/html; charset=utf-8');

//改写不安全的register_global和防sql注入处理
if (@ini_get('register_globals')) {
	foreach($_REQUEST as $name => $value){unset($$name);}
}

$pe['host_root'] = 'http://'.str_ireplace(rtrim(str_replace('\\','/',$_SERVER['DOCUMENT_ROOT']), '/'), $_SERVER['HTTP_HOST'], str_replace('\\', '/', dirname(__FILE__))).'/../';
$pe['path_root'] = str_replace('\\','/',dirname(__FILE__)).'/../';
include("{$pe['path_root']}/include/class/cache.class.php");
include("{$pe['path_root']}/include/function/global.func.php");

if (get_magic_quotes_gpc()) {
	!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
	!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
	!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
	!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}

switch ($_g_step) {
	//#####################@ 配置信息 @#####################//
	case 'setting':
		if (isset($_p_pesubmit)) {
			$dbconn = mysql_connect("{$_p_db_host}:{$_p_db_port}", $_p_db_user, $_p_db_pw);
			if (!$dbconn) pe_error('数据库连接失败...数据库ip，用户名，密码对吗？');
			if (!mysql_select_db($_p_db_name, $dbconn)) {
				mysql_query("CREATE DATABASE `{$_p_db_name}` DEFAULT CHARACTER SET utf8", $dbconn);
				!mysql_select_db($_p_db_name, $dbconn) && pe_error('数据库选择失败...数据库名对吗？');
			}
			mysql_query("SET NAMES utf8", $dbconn);
			mysql_query("SET sql_mode = ''", $dbconn);

			$sql_arr = explode('/*#####################@ pe_cutsql @#####################*/', file_get_contents("{$pe['path_root']}install/phpshe.sql"));
			foreach ($sql_arr as $v) {
				$result = mysql_query(trim(str_ireplace('{dbpre}', $_p_dbpre, $v)));
			}
			if ($result) {
				mysql_query("update `{$_p_dbpre}admin` set `admin_name` = '{$_p_admin_name}', `admin_pw` = '".md5($_p_admin_pw)."' where `admin_id`=1", $dbconn);
				$config = "";
				file_put_contents("{$pe['path_root']}config.php", $config);
				pe_goto("{$pe['host_root']}install/index.php?step=success");
			}
			else {
				pe_error('数据库安装失败！');
			}
		}
		if (is_writeable("{$pe['path_root']}data/")) {
			$mod_data = 'Yes';
			$mod_data_result = true;				
		}
		else {
			$mod_data = 'No';
			$mod_data_result = false;
		}
		if (is_writeable("{$pe['path_root']}config.php")) {
			$mod_config = 'Yes';
			$mod_config_result = true;				
		}
		else {
			$mod_config = 'No';
			$mod_config_result = false;
		}
		$menucss_2 = "sel";
		$seo = pe_seo($menutitle='配置信息 -> PHPSHE商城系统安装向导', '', '', 'admin');
	break;
	//#####################@ 安装成功 @#####################//
	case 'success':
		$menucss_3 = "sel";
		$seo = pe_seo($menutitle='安装成功 -> PHPSHE商城系统安装向导');
	break;
	//#####################@ 安装协议 @#####################//
	default :
		$menucss_1 = "sel";
		$seo = pe_seo($menutitle='安装协议 -> PHPSHE商城系统安装向导');
	break;
}
include('install.html');
pe_result();
?>

整个过程都没有判断安装后的install.lock文件，导致可以任意重装！再来看，安装时，传输数据时没有过滤，导致任意文件内容写入：

if ($result) {
				mysql_query("update `{$_p_dbpre}admin` set `admin_name` = '{$_p_admin_name}', `admin_pw` = '".md5($_p_admin_pw)."' where `admin_id`=1", $dbconn);
				$config = "";
				file_put_contents("{$pe['path_root']}config.php", $config);
				pe_goto("{$pe['host_root']}install/index.php?step=success");
			}
			else {
				pe_error('数据库安装失败！');
			}