hdwiki sql注射漏洞

基本字段

漏洞编号:
SSV-94598
披露/发现时间:
2014-11-04
提交时间:
2014-11-04
漏洞等级:
漏洞类别:
其他类型
影响组件:
HDWiki
漏洞作者:
Noxxx
提交者:
Knownsec
CVE-ID:
补充
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 Knownsec 共获得  0KB

简要描述:

rt

详细说明:

control/doc.php:docreate方法

……
流程条件省略
……
        }else{//点击发布词条
            if($this->setting['checkcode']!=3 && $this->setting['doc_verification_create_code'] && strtolower($this->post['code'])!=$_ENV['user']->get_code()){
                $this->message($this->view->lang['codeError'],'BACK',0);
            }

            if(@trim($this->post['content'])==''||@trim($this->post['title'])==''){
                $this->message($this->view->lang['contentIsNull'],'BACK',0);
            }
            //  #  调用doc类中的replace_danger_word方法但对我们post[‘title’]没啥影响。
                        //  #  接着string方法substring 截取81位字符刚好可以把我们的addslashes添加的\给截取掉。
                        //  #  我们只需要找到一处可控即可。接着往下看有没有调用doc的。
            $doc['title']=string::substring(string::stripscript($_ENV['doc']->replace_danger_word(trim($this->post['title']))),0,80); 

            $_doc=$this->db->fetch_by_field('doc','title',$doc['title']);
            if((bool)$_doc && !empty($_doc['content'])){
                $this->message($this->view->lang['createDocTip5'],'BACK',0);
            }
// # category 词条分类
            if(!(bool)$_ENV['category']->vilid_category($this->post['category'])){ 
                $this->message($this->view->lang['categoryNotExist'],'BACK',0);
            }

            if((bool)$this->post['summary']){
                $doc['summary']=trim(strip_tags($_ENV['doc']->replace_danger_word($this->post['summary'])));
            }
            $doc['did']=intval($this->post['did']);
            $doc['letter']=string::getfirstletter($this->post['title']);
            $doc['category']=$this->post['category'];
……………………

            $doc['summary'] = (bool)$doc['summary']?$doc['summary']:$doc['content'];
                          // #同上 有一处可控字符
                         // #继续向下看。
            $doc['summary'] = trim(string::convercharacter(string::substring(strip_tags($doc['summary']),0,100)));//去除换行符截断字符串

            $doc['summary'] = htmlspecialchars(string::stripscript(strip_tags($doc['summary'])));//去除特殊字符 去除javascript代码
……………………
            if($doc['visible'] == 1){
                $_ENV['user']->add_credit($this->user['uid'],'doc-create',$this->setting['credit_create'],$this->setting['coin_create']);
            }
                    // #调用 doc类add_doc方法。
                   //  doc数组被传进去了我们进去看看。
            $did=$_ENV['doc']->add_doc($doc);

Model/doc.class.php add_doc方法
    function add_doc($doc) {
        $editions = ($this->base->setting['base_createdoc']==1)?1:0;
        $doc['title'] = trim($doc['title']);
        if ($doc['did']){
            $this->db->query("REPLACE INTO ".DB_TABLEPRE."doc
            (did,letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions)
            VALUES (".$doc['did'].",'".$doc['letter']."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."',
            '".$this->base->user['username']."','".$this->base->user['uid']."',
            ".$doc['time'].",".$doc['time'].",'".$this->base->user['username']."','".$this->base->user['uid']."','".$doc['visible']."',$editions)");
            $did = $doc['did'];
            $this->db->query("DELETE FROM ".DB_TABLEPRE."autosave WHERE did=".$did." AND uid=".$this->base->user['uid']);
        }else{
                 // 我们的可控点都在这了截取字符\破坏后面的单引号,这样我们就能注射了。
                              //构造exp
            $this->db->query("INSERT INTO ".DB_TABLEPRE."doc
            (letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions)
            VALUES ('".$doc['letter']."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."',
            '".$this->base->user['username']."','".$this->base->user['uid']."',
            ".$doc['time'].",".$doc['time'].",'".$this->base->user['username']."','".$this->base->user['uid']."','".$doc['visible']."',$editions)");
            $did = $this->db->insert_id();
            $this->add_doc_category($did, $doc['category']);
            $this->db->query("DELETE FROM ".DB_TABLEPRE."autosave WHERE did=".$did." AND uid=".$this->base->user['uid']);
        }
        if($this->base->setting['base_createdoc']==1){
            $this->db->query("INSERT INTO ".DB_TABLEPRE."edition
            (did,author,authorid,time,ip,title,tag,summary,content,words,images )
            VALUES ($did,'".$this->base->user['username']."','".$this->base->user['uid']."',
            '".$doc['time']."','".$this->base->ip."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."','".$doc['words']."','".$doc['images']."')");
        }
        return $did;
    }

SQL日志
INSERT INTO wiki_doc (letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions) VALUES ('t','testp','','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaddwwwwwwaaaadddddwww\','TEST', 'cccasc','2', 1414842300,1414842300,'cccasc','2','1',0)

漏洞证明:

图片1.png

由于语句加了换行,在mysql某些版本导致/**注释失败。 测试版本 :5.1

共 0  兑换了

PoC

暂无 PoC

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

生命线

  • 2014-11-04 发现/披露了漏洞

相关漏洞

人气 934
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负

京ICP备10040895号 京公网安备 11010502034610号 Copyright @ 404 Team from Knownsec. English