POST 数据漏洞文件执行任意后缀文件保存
$ O8 N9 `9 q1 t# O. e, r0 Z 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
" ]( p4 O' J5 c: u) c" Q
$ @' A1 F4 S$ U; c/ g* D9 |利用:
, @1 @2 T6 v0 ?1 r @/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名* B) l* l( r( y# b2 |
/ L# Z$ N0 {( {, q
Post任意数据
+ X8 R4 S" P4 n0 r: W5 `. B8 P保存位置http://localhost/chart/tmp-upload-images/hfy.php, a% ]2 \* a/ B# ]
" m' ? {/ J) q
5 h' a. W6 @5 U最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~# h2 Z# A) ]/ F+ _* L
% N! ~8 H J! T
<?php4 g8 i, {. r9 Y* W" c( K2 H
, { w+ H0 R+ h _$ [+ w2 \( m
//
, y+ Y9 M' F4 R, H$ H+ o+ _// In Open Flash Chart -> save_image debug mode, you
* C* C* p, u7 e \7 h% } K// will see the 'echo' text in a new window.( A6 P& ^* W9 l( }" v; d7 R& R/ o# ^9 w
//: L' u- }* g! T
0 D$ E0 {7 z" `0 H# s
/*
! B2 y' g( }9 s( e8 Q b- N0 b& P; s% K6 j6 V, L+ n" Q' o6 C
print_r( $_GET );! k" b& ^1 Q; c5 R5 \; s/ p1 ^
print_r( $_POST );! e$ M l. }; |+ @ S
print_r( $_FILES );
5 N' Q3 k/ G7 ]: ~) R1 \) j, r0 q4 Z' ^
print_r( $GLOBALS );
# p3 K3 G0 K" p9 s hprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
0 I: f( w" H D8 {. T( L3 y; k6 Q% [2 h
*/- j% B* i5 i7 I9 d3 m
// default path for the image to be stored //1 F( A4 E B/ Z3 X7 \' x7 P
$default_path = '../tmp-upload-images/';; ]- I) D4 W% W3 y
+ \- ~& v# d3 _, t7 }if (!file_exists($default_path)) mkdir($default_path, 0777, true);
5 z5 ]( }* v+ t1 ^+ n
3 c: t5 _7 D' m7 L// full path to the saved image including filename //
S* B I) V" W/ j3 Y& M$destination = $default_path . basename( $_GET[ 'name' ] ); ) M, O3 ~% i8 t( b/ N: v; z; h0 m
" C8 R- X, d3 u
echo 'Saving your image to: '. $destination;
; q0 p2 h! T8 k# |* N- F// print_r( $_POST ); e: u/ ?- u# m: s; W: r" p, }6 t6 M
// print_r( $_SERVER );
# z% y0 M% w Y! h" \. B. s& V// echo $HTTP_RAW_POST_DATA; _0 v$ u4 s& x: j
2 I6 g9 F- ^9 ~# j m; k: G: E
//
/ z: ?; [+ Y& o// POST data is usually string data, but we are passing a RAW .png
' r1 B1 I$ J/ w+ e& q* ~// so PHP is a bit confused and $_POST is empty. But it has saved
* D- m( ~2 s2 Q: R" ^# K// the raw bits into $HTTP_RAW_POST_DATA
% l) d8 m1 B5 Y' J* i//5 [8 ?6 T# P, U1 h2 y7 U' @
0 A" u: `' c) d5 @! P4 x
$jfh = fopen($destination, 'w') or die("can't open file");( m" R- n5 J( G. s, c
fwrite($jfh, $HTTP_RAW_POST_DATA);6 x3 }4 u& p- N8 d! N/ t( [4 @# x
fclose($jfh);
2 G, d: t# Z% i: u% u4 |1 n
0 ^, t" W* s3 }, F//
3 n; ?5 [9 R% I" A1 @. z! v0 h// LOOK:$ e$ `8 @. s4 t- C+ P& R) I
//) J. {' E( @" v7 O% _
exit();# f! u5 n W/ a4 c8 T( R3 W: S
//
; c, ?1 g3 ]" ] R$ U2 V// PHP5:( B4 C) ~: P0 N2 Q
//
6 ` A) M/ C6 d7 n* z& i
( B' t% Z* e0 b _- w8 T. A2 N2 d4 b4 e+ v, \1 `9 l V2 E
// default path for the image to be stored // j# T: b3 G# M/ \# b
$default_path = 'tmp-upload-images/';
8 V3 Y" Q) c) b. a. @
3 U( \% q* I' S) z8 }7 q( l+ Iif (!file_exists($default_path)) mkdir($default_path, 0777, true);
5 O# S) U. @! i. V' I, D+ ?% e! w8 W* j: k3 V- L# q) r
// full path to the saved image including filename //: f6 `% C/ o1 E* {
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
/ r+ H/ \( ]# D: u% U# t3 h# Q% M! S6 s8 t$ u, K7 \1 {
// move the image into the specified directory //5 ]7 L+ A/ e: F) M8 L1 K
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {- W, ]. C" G" P+ S8 J5 u4 ?0 i
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";# _! h( j; t& G& o. v1 U
} else {/ [. x' F' m+ I, S3 v: w& d; W
echo "FILE UPLOAD FAILED";1 j! ~6 @! t, R9 O: r
}
9 r6 Z5 k4 X9 V$ S6 o- m9 \9 {; g+ U1 X# \4 `) j3 o
8 q* T* T. ` h. e- Q
?>( k% t" {* |) u) K: M. S. a
8 ^& i! c) b" f5 ?. T
4 a0 a5 ^3 m0 B* R+ A: w" L
0 Z3 J+ s1 B7 y+ b8 I* S& j5 B- F
6 b' B- s' X: z0 l9 I' ?3 V2 U4 G5 ~( L4 W1 m! j4 d
% G+ a2 t+ d0 p. O- L9 _修复方案:
8 \5 \' s9 Q$ ^! Q( W8 Y* g" p这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
6 C4 o( E8 k5 ?( W/ [: q* m. z2 g3 g8 c2 a+ }5 _7 Z
9 w ~3 X7 F4 v7 d9 ]7 a
; j5 f: }9 y8 s" e" l4 p/ Y1 q
' r- T# b. ?0 l3 N u. m |