Discuss Web system installation program Security

Author: Yaseng
 
[Directory]

0x00 Preface
0x01 program installation files
0x02 install getShell directly on the tuesbuy page
0x03 redirect to bypass phpdisk header bypass & getShell
0x04 global variable overwrite bypass sdcms
0x05 non-mainstream dcrcms is very reinstalled
0x06 PHP Web installation member verification Bypass
0x07 other bypassing instances
0x08 Security code compilation
0x09 Summary

Preface
As a Web system, installation programs are essential. Provides the installation system, connects to the database, and initializes website data. When the system is installed for the first time, a lock file is usually generated to avoid illegal reinstallation. However, we can use this file to reinstall the system, system data loss or even getShell. This article uses multiple instances to discuss the security of web system installation programs.

About program installation files

The web system will be automatically installed when it is installed at the first access to the program portal. For example, the php that I am familiar with is generally installed. php or the install Folder under the root directory. The installation process is as follows:

 
 

Figure 1
Let's take a closer look at the above content. Next we will discuss it in detail using multiple cases.

Repeat installation and getShell
 
1. Access www.2cto.com/install. php (some people are lazy and haven't deleted this file)
2. Fill in the Mysql account and IP address set up on your local machine and reinstall it.
3. register an account. The first registered account is the administrator by default.
4. Access/manage/index. php
5. Click -- ---select about_job.html to add a PHP sentence
6. Use a kitchen knife to link site.com/about/job.php

Phpdisk header Bypass
Reference: http://www.bkjia.com/Article/201206/137339.html




 
Figure 2
2. When the check has been installed, the header jump directly, while the header function in php can be executed after the jump, and to facilitate the installation of the gpc, leading to repeated installation of the getShell directly.

Figure 3
 
Xdcms global variable overwrite bypass reinstallation
Reference: http://www.bkjia.com/Article/201208/145312.html
Check the index. php file under install.
Foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request ){
Foreach ($ _ request as $ _ k = >$ _ v) $ {$ _ k} = _ runmagicquotes ($ _ v );
}

The classic global variables are overwritten. The Code indicates that the passed variable array is traversed and assigned a value. For example, $ _ GET ['a'] is assigned a value of $ a OK. Continue to see the installed check code.

$ InsLockfile = dirname (_ FILE _). '/install_lock.txt'; // before global data Traversal
If (file_exists ($ insLockfile )){
Exit ("the program has been installed. If you are sure you want to reinstall it, delete install/install_lock.txt from FTP first! ");
}
The insLockfile here is controllable (global variable overwrite), and you can just input a parameter.
Http://demo.xdcms.cn/install/index.php? InsLockfile = 1
 

Figure 4
Figure 4 sdcms official website, using poc
Http://www.bkjia.com/install/index. php? InsLockfile = 1 & step = 4 & dbhost = localhost & dbname = xdcms & dbuser = root & dbpwd = & dbpre = c _ & dblang = gbk & adminuser = yaseng & adminpwd = 90sex
Fill in configuration in the bold Section and directly bypass reinstallation

Secondary installation due to logical defects of dcrcms
Let's take a look at the non-mainstream installation program of dcrcms, there is no installed detection code, index. php write configuration, input install_action.php, when the installation is complete,
Function install_end ()
{
// Installation Finishing
// Change the name of the Installation File
@ Rename ('index. php', 'index. php_bak ');
}

Index. php is useless, and index. php is just a Data configuration transmitter. Now that you renamed the index, I will write an index locally...



Figure 5
Submit local form
 

Figure 6
 
Done !!!

PHP Web vip reinstallation verification Bypass
PHP Web, as a charging system, is installed with member verification, so developers can eliminate the need for installed detection.
 
Figure 7
However, the installation process has nextstep control over post.
 
Figure 8
Firefox tamper directly bypasses the installation (cracking this program is not tested, and interested parties can study it in depth)
 
Figure 9
Other bypasses
The installer cannot be outdated. You can use other methods, such as deleting any dedecms file or deleting lockfile,
Rename any file in Xxxcms.
Security code compilation

Renamed? Add lock file? All of these are in danger of being bypassed. discuz gives us a good answer. Check the code and access the background after installation.
If (@ file_exists (DISCUZ_ROOT. './install/index. php ')&&! DISCUZ_DEBUG ){
@ Unlink (DISCUZ_ROOT. './install/index. php ');
If (@ file_exists (DISCUZ_ROOT. './install/index. php ')){
Dexit ('Please delete install/index. php via FTP! ');
}
}
Directly Delete index. php, clean up and eliminate future problems...

Summary

This article provides a simple evaluation of the web system installer during code auditing and project development. Some of the cases have been corrected in the new version, and some have not published 0day, the specific usage method depends on the reader's own research.

This article is original, reprint please indicate to come to http://yaseng.me/web-installer-security.html