当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067459

漏洞标题:Hdwiki 二次注入第二弹

相关厂商:互动在线(北京)科技有限公司

漏洞作者: ′雨。

提交时间:2014-07-11 12:12

修复时间:2014-10-06 12:14

公开时间:2014-10-06 12:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-11: 细节已通知厂商并且等待厂商处理中
2014-07-16: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-09-09: 细节向核心白帽子及相关领域专家公开
2014-09-19: 细节向普通白帽子公开
2014-09-29: 细节向实习白帽子公开
2014-10-06: 细节向公众公开

简要描述:

上Hdwiki官网 发现更新日期一直都没变。
还以为一直都没更新了, 结果今天下载一个下来看看。
发现之前发的洞竟然都补掉了。
——————————————————————————————————
ps. 更新程序了应该还是把日期更新了一下 要不别人会一直以为没更新的。

详细说明:

在control/doc.php中

function doedit(){
$this->_anti_copy();
if(isset($this->post['predoctitle'])){
$title = $this->post['predoctitle'];
$content=string::stripscript($_ENV['doc']->replace_danger_word($this->post['content']));
$this->view->assign("content",stripslashes($content));
$this->view->assign("title",$title);
//$this->view->display("previewdoc");
$_ENV['block']->view('previewdoc');
return;
}


省略一点.......

if(!$_ENV['doc']->check_eng_pcnt($doc['content']) || !$_ENV['doc']->check_extlink_pcnt($doc['content'])) {
if($this->setting['save_spam']) {
$doc['visible'] = 0;
} else {
$this->message($this->view->lang['spam_msg'],"BACK",0);
}
}
}
if( $this->setting['verify_doc'] == -1 && $this->user['newdocs'] != -1 && $increase_edition) { //如果开启首次编辑审核,且用户尚未通过审核,且编辑的是他从未编辑过的词条
$_ENV['user']->update_newdocs($this->user['uid'], +1); //则newdocs +1
}
$_ENV['doc']->edit_doc($doc,"1", $increase_edition);
$_ENV['doc']->unset_editlock($doc['did'],$this->user['uid']);
if($doc['visible']==1 && $_ENV['doc']->is_addcredit($doc['did'],$this->user['uid'])){
$_ENV['user']->add_credit($this->user['uid'],'doc-edit',$this->setting['credit_edit'],$this->setting['coin_edit']);
}
$_ENV['user']->update_field('edits',$this->user['edits']+1,$this->user['uid']);
$_ENV['doc']->del_autosave('',$this->user['uid'],$doc['did']);


$_ENV['doc']->edit_doc($doc,"1", $increase_edition)
跟这函数

function edit_doc($doc,$edittype='1',$increase_edition=true) {
if($this->base->setting['base_createdoc']==1){
$edition = $doc;
}else{
$edition=$this->db->fetch_first("SELECT * FROM ".DB_TABLEPRE."doc WHERE did=".$doc['did']);
$edition=string::haddslashes($edition,1);
}
$edition_sql = $increase_edition ? 'edits=edits+1,editions=editions+1,' : '';
$this->db->query("UPDATE ".DB_TABLEPRE."doc SET
tag='".$doc['tags']."' ,summary='".$doc['summary']."' ,content='".$doc['content']."',lastedit='".$doc['time']."',
lasteditor='".$this->base->user['username']."',lasteditorid='".$this->base->user['uid']."',{$edition_sql}visible='".$doc['visible']."' WHERE did=".$doc['did']);

$words=string::hstrlen($edition['content']);
$images=util::getimagesnum($edition['content']);
if(!empty($this->base->setting['db_storage']) && $this->base->setting['db_storage']=='txt'){
$content=stripslashes($edition['content']);
$edition['content']='';
}

if($increase_edition == true) {
$this->db->query("INSERT INTO ".DB_TABLEPRE."edition
(did,author,authorid,time,ip,title,tag,summary,content,words,images,reason,`type`)
VALUES ('".$edition['did']."','".$this->base->user['username']."','".$this->base->user['uid']."','".$edition['lastedit']."','".$this->base->ip."','".$edition['title']."','".$edition['tags']."','".$edition['summary']."','".$edition['content']."','$words','$images','".$doc['reason']."','$edittype')");
$eid = $this->db->insert_id();


带入到了insert当中
在control/edition.php

function doremove(){
$did=isset($this->post['did'])?$this->post['did']:$this->get[2];
$eids=isset($this->post['eid'])?$this->post['eid']:array($this->get[3]);
foreach($eids as $eid){
if(!is_numeric($eid)&&!is_numeric($did)){
$this->message($this->view->lang['parameterError'],'BACK',0);
}
}

$result=$_ENV['doc']->remove_edition($eids, $did);


remove_edition($eids, $did)
跟一下这函数。

function remove_edition($eid, $did=0){
if(is_array($eid)){
$eid=implode(",",$eid);
}

$sql="INSERT INTO ".DB_TABLEPRE."recycle (type,keyword,content,file,adminid,admin,dateline) values ";
$query=$this->db->query("SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)");
$delete_count = array();
while($edition=$this->db->fetch_array($query)){
$delete_count[$edition['did']]=0;
$file=$this->get_edition_fileinfo($edition['eid'],'file');
$file=($edition['content'])?"N;":serialize(array("$file"));
$sql.="('edition','".$edition['title']."','".addslashes(serialize($edition))."','$file','".$this->base->user['uid']."','".$this->base->user['username']."','".$this->base->time."'),";


$query=$this->db->query("SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)");
这里查询出来 出库。
$sql.="('edition','".$edition['title']."','".addslashes(serialize($edition))."','$file','".$this->base->user['uid']."','".$this->base->user['username']."','".$this->base->time."'),"
在这里addslashes(serialize($edition)像这些的addslashes都转义了
但是 $edition['title'] 这里出库的标题没过滤。
然后带入到了insert当中, 造成了注入。

漏洞证明:

首先发布一个词条 ua',user(),user(),user(),user(),user())#

h3.jpg


然后编辑一下这个词条 就入库了。

h4.jpg


h5.jpg


修复方案:

addslashes($edition['title'])

版权声明:转载请注明来源 ′雨。@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-10-06 12:14

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2014-07-11 12:57 | 索马里的海贼 ( 普通白帽子 | Rank:254 漏洞数:24 | http://tieba.baidu.com/f?kw=WOW)

    刚说完。。。。

  2. 2014-07-11 17:21 | Mody ( 普通白帽子 | Rank:110 漏洞数:27 | "><img src=x onerror=alert(1);> <img s...)

    你好碉

  3. 2015-01-22 13:37 | 小菜虫 ( 路人 | Rank:24 漏洞数:5 )

    雨牛,edition-remove一般账户不是不能访问的吗