Hdwiki最新版二次注入一枚

### 简要描述： 上Hdwiki官网 发现更新日期一直都没变。 还以为一直都没更新了, 结果今天下载一个下来看看。 发现之前发的洞竟然都补掉了。 非盲注 直接出数据。 ps. 更新程序了应该还是把日期更新了一下 要不别人会一直以为没更新的。 ### 详细说明： 在user/pms.php中 ``` function doblacklist(){ if(isset($this->post['blacklist'])){ $blacklist = htmlspecialchars(string::stripscript($this->post['blacklist'])); if(empty($blacklist)){ $result = $_ENV['pms']->remove_blacklist($this->user['uid']); }else{ $result = $_ENV['pms']->add_blacklist($blacklist,$this->user['uid']); } ``` add_blacklist($blacklist,$this->user['uid']); $blacklist = htmlspecialchars(string::stripscript($this->post['blacklist']) post 都会转义的。 来看看这函数 stripscript ``` function stripscript($string){ $pregfind=array("/<script.*>.*<\/script>/siU",'/on(error|mousewheel|mouseover|click|load|onload|submit|focus|blur|start)="[^"]*"/i'); $pregreplace=array('','',); $string=preg_replace($pregfind,$pregreplace,$string); return $string; } } ``` 这是过滤了一些xss常用的。 ``` function add_blacklist($blacklist,$uid){ return($this->db->query("REPLACE INTO ".DB_TABLEPRE."blacklist (uid,blacklist) VALUES('$uid','$blacklist')")); } ``` 然后直接入库, 虽然转义了 但是转义后入库之后转义符会被消除的。 来看看哪里出库了。 依旧在control/pms.php中 ``` function dobox(){ $this->get[3] = empty($this->get[3]) ? NULL : $this->get[3]; $page = max(1,isset($this->get[4]) ? $this->get[4] : $this->get[3]); $num = isset($this->setting['list_prepage'])?$this->setting['list_prepage']:20; $start_limit = ($page - 1) * $num; $count = $_ENV['pms']->get_totalpms($this->user['uid'], $this->get[2]); ``` ``` function get_totalpms($uid, $type, $group=''){ $sqladd = ''; if($type == 'inbox'){ $blacklist = $this->get_blacklist($uid); if($blacklist == '[ALL]'){ return '0'; }else{ $blackuser = str_replace(",","','",$blacklist); if($group){ $sqladd = ($group == 'owner') ? 'AND og=0' : 'AND og=1'; } $query = "SELECT COUNT(*) num FROM ".DB_TABLEPRE."pms WHERE toid='$uid' AND delstatus!=2 AND drafts!=1 $sqladd AND `from` NOT IN ('$blackuser')"; } }else{ $sqladd = ($type == 'outbox') ? 'drafts!=1' : 'drafts=1'; $query = "SELECT COUNT(*) as num FROM ".DB_TABLEPRE."pms WHERE fromid='$uid' AND delstatus!=1 AND $sqladd"; } $total = $this->db->fetch_first($query); return $total['num']; } ``` $blacklist = $this->get_blacklist($uid); ``` function get_blacklist($uid){ $user = $this->db->fetch_first("SELECT blacklist FROM ".DB_TABLEPRE."blacklist WHERE uid='".$uid."'"); return $user['blacklist']; } ``` 这里把刚才入库的查询了出来 成功引入了单引号。 ``` $blackuser = str_replace(",","','",$blacklist); if($group){ $sqladd = ($group == 'owner') ? 'AND og=0' : 'AND og=1'; } $query = "SELECT COUNT(*) num FROM ".DB_TABLEPRE."pms WHERE toid='$uid' AND delstatus!=2 AND drafts!=1 $sqladd AND `from` NOT IN ('$blackuser')"; ``` 然后查询出来后赋值给$blackuser 然后带入了查询当中， 而且在最后 return $total['num']; return回来后直接 $this->view->assign('count',$count); 输出来。 就可以直接出数据。 $blackuser = str_replace(",","','",$blacklist); 在这里会把逗号替换 然后就不用逗号来注入把。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/04193739f3a70a473dfa1990f84e8ef39bd16bbe.jpg" alt="h1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/04193739f3a70a473dfa1990f84e8ef39bd16bbe.jpg) 首先在忽略列表里面添加这样的语句 然后访问 [<img src="https://images.seebug.org/upload/201407/04193834d2145e8c00adb4ec08c70c90832c2101.jpg" alt="h2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/04193834d2145e8c00adb4ec08c70c90832c2101.jpg) 直接出数据。