POST 数据漏洞文件执行任意后缀文件保存
! D2 K" |3 u% n, h, }+ [, m 漏洞文件/chart/php-ofc-library/ofc_upload_image.php/ G% C6 E% D* Y5 t6 n
2 y* x2 B6 K3 O# w9 H; {利用:
" q& w. d+ t3 F/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名" W( W5 |" J6 G% |& F
( Y) M, X! W. c$ }- {$ B2 L1 V$ F3 CPost任意数据3 F) O6 I2 V1 a+ [8 ~( `! F9 E3 ?; ~
保存位置http://localhost/chart/tmp-upload-images/hfy.php
6 a; ^# k& o4 i v, a3 l3 t1 V* ?* `- ]" ^, Q7 `: N. F a
% d7 R3 e( U5 A, A0 {* E+ C最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
4 z7 j1 _7 m$ @8 r! w
3 M! x. c! L, @& o<?php5 s7 Z1 A3 |! u( ^. B
0 J/ i F* x( u
//' w5 a+ `9 f$ v
// In Open Flash Chart -> save_image debug mode, you- H4 g# y2 H% ?
// will see the 'echo' text in a new window.) U5 x6 o5 M" t8 H) \/ a
//8 B# Z4 V& d; p; Y
, }% a; m7 @4 ]) o
/*# ?. K& P/ U! n/ j6 d* D
1 n4 H6 |; {9 L9 g0 F0 u$ Uprint_r( $_GET );+ h6 @9 ~7 f, i L' ^6 [
print_r( $_POST );
6 R8 S3 ]( A6 \* O( D3 b1 ]: Xprint_r( $_FILES );
! _ v v: S% m: ~' c# Q& O- n( J' C" q5 A o
print_r( $GLOBALS );
+ z) t }* U9 j: U9 o( R6 Wprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
9 V* u/ S2 K9 @3 r' `3 p- r; M% a! m
' c9 r( u0 @, T% f3 ?*/
. z6 Z/ r- e' d' A4 t8 X// default path for the image to be stored //
9 v9 d9 e4 `7 s. H$default_path = '../tmp-upload-images/';# `$ u( r1 S5 @& a* z( H$ z
8 q1 L2 ^0 U, G. C0 U
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
; }1 G2 J. J4 v c
" Z ?9 z0 Y: @; ]7 h// full path to the saved image including filename //
3 V3 M1 h' M. \& @) h7 d. x4 D$ z$destination = $default_path . basename( $_GET[ 'name' ] ); 6 N9 S( A9 N M( n9 x& g
7 f% b9 V% Y3 I
echo 'Saving your image to: '. $destination;
: d6 A# y9 w- k* ?5 i! e" a3 `// print_r( $_POST );
+ L9 d- H, j. J$ H8 j0 ^* L// print_r( $_SERVER );
# A- J1 R3 T5 p0 {/ v+ u4 g$ k @// echo $HTTP_RAW_POST_DATA;
, L, D! g. C' _2 \0 B$ C8 C& v e9 ]3 k9 ~1 u/ C
//* g1 Y6 g9 _+ _# B9 U
// POST data is usually string data, but we are passing a RAW .png( S' A3 u/ a) Q# r! R
// so PHP is a bit confused and $_POST is empty. But it has saved, R6 z" f. U/ ~% T2 f4 M
// the raw bits into $HTTP_RAW_POST_DATA; h: |. L- E" R, B( e
//
# ^6 x$ N9 R5 M5 W* M; b0 U8 o% W) ?% Y
$jfh = fopen($destination, 'w') or die("can't open file");
$ V/ f! p* t9 p$ k1 ~7 y/ R( nfwrite($jfh, $HTTP_RAW_POST_DATA);: D. U6 j% J% q9 u; H6 |
fclose($jfh);
8 e* s0 }) ] ]) Z
- ^) \3 P' |, G+ Q# e//
# n" q$ N/ I- i. Z5 i! ^1 ]: |2 f2 A// LOOK:
$ P1 M4 U- z% H8 c9 G. i//) z" L( b3 x! t( U+ L7 c
exit();
% B# k: B c5 x//! W) P3 I @! @0 ^7 [
// PHP5:2 f* k( } }% j+ A( O
//) v) x4 h q6 i" w; O* P1 Z
' Y4 d7 s! `: L p' P `! _5 r# c9 f+ V. \. I7 b5 O1 V
// default path for the image to be stored //8 B! k& F$ @( t- z
$default_path = 'tmp-upload-images/';
* ?. ?- l- x( a& y. m( g. {% y' m& C
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
+ @6 y6 n! s% [, g# \5 N. h% y2 p- t0 {& D! Z4 q. n
// full path to the saved image including filename //2 d$ h* ~0 e4 A4 i* A
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); 2 G8 k& B7 g0 |% d& Q& g F" i% ?
]% u! Q" w" b: k' o4 ?9 {
// move the image into the specified directory //
! ^: a0 ^3 `: G+ o. ^8 v5 Xif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
' p% [" X+ m) d9 | echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
7 w% N9 F4 N6 Z' r# o& {} else {8 a* g0 G3 l- u5 o6 @
echo "FILE UPLOAD FAILED";% ?5 i% m. i5 X" ?4 H5 j, |
}
2 {" G- s: W! m% b
0 D2 i. G7 q% g8 e0 O& [5 ?. `, \$ C5 N2 r6 D/ p# |% v6 H
?>5 l, a# e$ E. M' A. |* E
) n$ Y3 |" Z- a+ F0 r
, d2 ]9 `6 k7 B3 |9 x6 e- |
# _& w! L' r* k( }* \; C- q* M7 f/ G* O8 H
0 x/ p M7 e4 e& l+ F4 ^+ I3 F
5 Y$ t% _: b! U) o) Z/ f( n5 M修复方案:
6 S2 q/ h/ d3 u9 i这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 ! Q6 \, z+ j/ S
/ Y* A6 n( d7 ]) a) T
" C* X, o; U/ i) z5 u
7 k$ B3 F, C0 Q
* U2 {* l: i0 w5 z, {" s) g6 U
|
发表于 2013-2-23 12:38:58
收藏
支持
反对