Hdwiki 二次注入第二弹

### 简要描述： 上Hdwiki官网 发现更新日期一直都没变。 还以为一直都没更新了, 结果今天下载一个下来看看。 发现之前发的洞竟然都补掉了。 —————————————————————————————————— ps. 更新程序了应该还是把日期更新了一下 要不别人会一直以为没更新的。 ### 详细说明： 在control/doc.php中 ``` function doedit(){ $this->_anti_copy(); if(isset($this->post['predoctitle'])){ $title = $this->post['predoctitle']; $content=string::stripscript($_ENV['doc']->replace_danger_word($this->post['content'])); $this->view->assign("content",stripslashes($content)); $this->view->assign("title",$title); //$this->view->display("previewdoc"); $_ENV['block']->view('previewdoc'); return; } ``` 省略一点....... ``` if(!$_ENV['doc']->check_eng_pcnt($doc['content']) || !$_ENV['doc']->check_extlink_pcnt($doc['content'])) { if($this->setting['save_spam']) { $doc['visible'] = 0; } else { $this->message($this->view->lang['spam_msg'],"BACK",0); } } } if( $this->setting['verify_doc'] == -1 && $this->user['newdocs'] != -1 && $increase_edition) { //如果开启首次编辑审核,且用户尚未通过审核,且编辑的是他从未编辑过的词条 $_ENV['user']->update_newdocs($this->user['uid'], +1); //则newdocs +1 } $_ENV['doc']->edit_doc($doc,"1", $increase_edition); $_ENV['doc']->unset_editlock($doc['did'],$this->user['uid']); if($doc['visible']==1 && $_ENV['doc']->is_addcredit($doc['did'],$this->user['uid'])){ $_ENV['user']->add_credit($this->user['uid'],'doc-edit',$this->setting['credit_edit'],$this->setting['coin_edit']); } $_ENV['user']->update_field('edits',$this->user['edits']+1,$this->user['uid']); $_ENV['doc']->del_autosave('',$this->user['uid'],$doc['did']); ``` $_ENV['doc']->edit_doc($doc,"1", $increase_edition) 跟这函数 ``` function edit_doc($doc,$edittype='1',$increase_edition=true) { if($this->base->setting['base_createdoc']==1){ $edition = $doc; }else{ $edition=$this->db->fetch_first("SELECT * FROM ".DB_TABLEPRE."doc WHERE did=".$doc['did']); $edition=string::haddslashes($edition,1); } $edition_sql = $increase_edition ? 'edits=edits+1,editions=editions+1,' : ''; $this->db->query("UPDATE ".DB_TABLEPRE."doc SET tag='".$doc['tags']."' ,summary='".$doc['summary']."' ,content='".$doc['content']."',lastedit='".$doc['time']."', lasteditor='".$this->base->user['username']."',lasteditorid='".$this->base->user['uid']."',{$edition_sql}visible='".$doc['visible']."' WHERE did=".$doc['did']); $words=string::hstrlen($edition['content']); $images=util::getimagesnum($edition['content']); if(!empty($this->base->setting['db_storage']) && $this->base->setting['db_storage']=='txt'){ $content=stripslashes($edition['content']); $edition['content']=''; } if($increase_edition == true) { $this->db->query("INSERT INTO ".DB_TABLEPRE."edition (did,author,authorid,time,ip,title,tag,summary,content,words,images,reason,`type`) VALUES ('".$edition['did']."','".$this->base->user['username']."','".$this->base->user['uid']."','".$edition['lastedit']."','".$this->base->ip."','".$edition['title']."','".$edition['tags']."','".$edition['summary']."','".$edition['content']."','$words','$images','".$doc['reason']."','$edittype')"); $eid = $this->db->insert_id(); ``` 带入到了insert当中 在control/edition.php ``` function doremove(){ $did=isset($this->post['did'])?$this->post['did']:$this->get[2]; $eids=isset($this->post['eid'])?$this->post['eid']:array($this->get[3]); foreach($eids as $eid){ if(!is_numeric($eid)&&!is_numeric($did)){ $this->message($this->view->lang['parameterError'],'BACK',0); } } $result=$_ENV['doc']->remove_edition($eids, $did); ``` remove_edition($eids, $did) 跟一下这函数。 ``` function remove_edition($eid, $did=0){ if(is_array($eid)){ $eid=implode(",",$eid); } $sql="INSERT INTO ".DB_TABLEPRE."recycle (type,keyword,content,file,adminid,admin,dateline) values "; $query=$this->db->query("SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)"); $delete_count = array(); while($edition=$this->db->fetch_array($query)){ $delete_count[$edition['did']]=0; $file=$this->get_edition_fileinfo($edition['eid'],'file'); $file=($edition['content'])?"N;":serialize(array("$file")); $sql.="('edition','".$edition['title']."','".addslashes(serialize($edition))."','$file','".$this->base->user['uid']."','".$this->base->user['username']."','".$this->base->time."'),"; ``` $query=$this->db->query("SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)"); 这里查询出来 出库。 $sql.="('edition','".$edition['title']."','".addslashes(serialize($edition))."','$file','".$this->base->user['uid']."','".$this->base->user['username']."','".$this->base->time."')," 在这里addslashes(serialize($edition)像这些的addslashes都转义了 但是 $edition['title'] 这里出库的标题没过滤。 然后带入到了insert当中， 造成了注入。 ### 漏洞证明： 首先发布一个词条 ua',user(),user(),user(),user(),user())# [<img src="https://images.seebug.org/upload/201407/04232347d2ae86839d8e671272a26420eed244f5.jpg" alt="h3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/04232347d2ae86839d8e671272a26420eed244f5.jpg) 然后编辑一下这个词条 就入库了。 [<img src="https://images.seebug.org/upload/201407/042325113f67165a9665e5c2c49d2bf9b3e46560.jpg" alt="h4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/042325113f67165a9665e5c2c49d2bf9b3e46560.jpg) [<img src="https://images.seebug.org/upload/201407/042325519c4836fa52143787b0fe11780e5bf831.jpg" alt="h5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/042325519c4836fa52143787b0fe11780e5bf831.jpg)