B2Bbuilder设计缺陷导致整站重装 – 网站安全 – 自学

B2Bbuilder设计缺陷导致整站重装

详细说明：

B2Bbuilder在安装后，install/install.php文件中未设计安装验证

导致可以重装系统，代码如下

<?php 
/**
 * 安装程序
 * @copyright Copyright (C) 2011 中国万网互联网解决方案事业部
 * @author bruce lee  liyongqing2008@gmail.com
 * @access public
 * @package system
*/
//设置当前系统标识
define('IN_HICHINA', TRUE);
//获取动作参数
$action = $_GET['action'];

//错误代码配置
$a_error =array
(
    "101"  => array("msg" => "网络传输错误", "description" => "Get发送或接收数据失败"),
    "102"  => array("msg" => "参数不完整", "description" => "无参数或参数个数不对"),
    "103"  => array("msg" => "身份不合法", "description" => "无权限调用接口"),
    "104"  => array("msg" => "解压缩失败", "description" => "压缩程序和解压缩程序不匹配"),
    "105"  => array("msg" => "配置文件未找到", "description" => "配置文件未找到"),
    "106"  => array("msg" => "配置文件内容不合法", "description" => "配置文件内容不合法"),
    "107"  => array("msg" => "请求地址无效", "description" => "独立应用接口文件不存在或无法打开"),
    "108"  => array("msg" => "配置文件无法修改", "description" => "配置文件无法修改"),
    "111"  => array("msg" => "参数不正确", "description" => "参数长度超长或类型不匹配"),
    "112"  => array("msg" => "接口已失效", "description" => "接口已超时"),
    "113"  => array("msg" => "安装失败", "description" => "安装失败"),
    "114"  => array("msg" => "运行检测失败", "description" => "检测到应用无法正常执行"),
    "121"  => array("msg" => "安装应用失败", "description" => "安装应用失败"),
    "122"  => array("msg" => "安装结果检测失败", "description" => "应用安装成功但运行检测失败"),
    "131"  => array("msg" => "无法连接数据库或数据库服务器无响应", "description" => "无法连接数据库或数据库服务器无响应"),
    "132"  => array("msg" => "添加账户失败", "description" => "添加管理员账户失败"),
    "200"  => array("msg" => "ok", "description" => "ok")
);
//输出XML
function outputXml($code)
{
global $a_error;
header("content-type: text/xml");
echo '<?xml version="1.0" encoding="utf-8"?>
<rsp>
<code>' . $code . '<code>
<msg>' . $a_error[$code]['msg'] . '</msg>
</rsp>';
exit();
}
//安装应用
//http://localhost/b2b/install/install.php?action=setup&dbhost=localhost&port=3306&dbname=hichina001_db&dbuser=root&dbpassword=root&tableprefix=b2bbuilder_&guid=6F9619FF-8B86-D011-B42D-00C04FC964FF

if($action == "setup") //只判断action，没有任何验证，直接进入重装
{
//检查参数是否完整
$dbhost = $_GET['dbhost'];
$port = $_GET['port'];
$dbname = $_GET['dbname'];
$dbuser = $_GET['dbuser'];
$dbpassword = $_GET['dbpassword'];
$tableprefix = $_GET['tableprefix'];
$guid = $_GET['guid'];
if(!$port)
$port = 3306;

if ($dbhost && $port && $dbname && $dbuser && $dbpassword && $tableprefix && $guid)
{
file_put_contents("db.txt", $dbhost.'|'.$port .'|'.$dbname .'|'.$dbuser .'|'.$dbpassword .'|'.$tableprefix.'|'.$guid);
$link = mysql_connect($dbhost . ":" . $port, $dbuser, $dbpassword);
if($link)
{
mysql_query("CREATE DATABASE IF NOT EXISTS `".$dbname."`;", $link);

漏洞证明：

B2Bbuilder正常安装后访问/install/index.php显示如下

该页面处设置了系统重装的验证，可以install.php就没有了

直接访问/install/install.php?action=setup&dbhost=localhost&port=3306&dbname=数据库名称&dbuser=数据库用户名&dbpassword=数据库密码&tableprefix=b2bbuilder_&guid=6F9619FF-8B86-D011-B42D-00C04FC964FF就重装整站

修复方案：

install.php页面加入重装验证

即判断.lock文件是否存在