### 简要描述:
rt
### 详细说明:
下载源码之后,搭建完该cms之后。发现install.php文件还在。
```
error_reporting(0);
header("Content-Type: text/html; charset=utf-8");
$site_url = "http://".$_SERVER["HTTP_HOST"].$_SERVER['PHP_SELF'];
$site_url = preg_replace("/\/[a-z0-9]+\.php.*/is", "", $site_url);
if($_POST['db_host'] && $_POST['db_name'] && $_POST['db_user'] && $_POST['db_prefix']) {
$file = "Application/Common/Conf/db.php";
$data = "<?php
return array(
'DB_TYPE' => 'mysql', // 数据库类型
'DB_HOST' => '".$_POST['db_host']."', // 服务器地址
'DB_NAME' => '".$_POST['db_name']."', // 数据库名
'DB_USER' => '".$_POST['db_user']."', // 用户名
'DB_PWD' => '".$_POST['db_pwd']."', // 密码
'DB_PORT' => 3306, // 端口
'DB_PREFIX' => '".$_POST['db_prefix']."', // 数据库表前缀
'DB_CHARSET' => 'utf8', //数据库编码
'ADMIN_LOGIN' => '".$_POST['admin_login']."', //创始人账号
'ADMIN_PASS' => '".$_POST['admin_pass']."', //创始人密码
); ?>";
$db_info = file_put_contents ($file, $data);
if($db_info) {
$callback = 1;
} else {
$callback = 2;
};
$con = mysql_connect($_POST['db_host'],$_POST['db_user'],$_POST['db_pwd']);
mysql_query("CREATE DATABASE ".$_POST['db_name'],$con);
if (!$con) {
$callback = 2;
};
} else {
$callback = 0;
}
```
可以看到没有任何验证,可以直接重新安装。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201501/1614254910bb952a0b05757e6d80d7d3bef24855.png" alt="QQ截图20150116142603.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1614254910bb952a0b05757e6d80d7d3bef24855.png)
[<img src="https://images.seebug.org/upload/201501/16142604b15a587d318588c94791c3e9b8ccec27.png" alt="QQ截图20150116142631.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/16142604b15a587d318588c94791c3e9b8ccec27.png)
五个互联网实例
```
http://www.dxsfood.com/install.php
```
```
http://www.meiguo.com.cn/install.php
```
```
http://freshfoodday.com/install.php
```
```
http://www.hanguo2.com/install.php
```
```
http://www.sushe.wang/install.php
```
京公网安备 11010502034610号
暂无评论