POST 数据漏洞文件执行任意后缀文件保存' m8 n4 |" [. m, y0 N
漏洞文件/chart/php-ofc-library/ofc_upload_image.php/ X; T/ k0 h/ z% `/ b1 {& G5 F& o
$ U( G4 i; W* ~5 v
利用:
" s1 v! r$ t/ g2 l/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
4 d9 C" K. e/ G3 j; F# k: P) n
/ } [% Q2 ?. m" t6 o2 u6 m" nPost任意数据 ^8 P+ D) g8 Z* e. ?- ?
保存位置http://localhost/chart/tmp-upload-images/hfy.php" m- V; i( E8 z9 q7 h2 }( f+ F
1 m3 V8 w. E$ e ]+ M( V8 x: W* J# l: i9 v
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
% v2 s5 K' U4 l/ Q$ W2 q- _. A9 W2 S0 R4 Q# i3 @3 E+ \$ ^$ F
<?php! b; d; I) W$ Z4 W
% L, Q) N4 O5 d G- p- P$ I8 Q
//
) U( o% z8 |0 t8 I2 d" \6 P// In Open Flash Chart -> save_image debug mode, you9 ~9 } I$ o, l; p
// will see the 'echo' text in a new window.
: N1 l' w& Z4 E+ _- o//7 `( u- `- t; V
4 o6 H- F% o/ w% g- L# y# J/*1 [ P! U c$ t; \
: V1 b& z4 I1 N4 b$ {" D7 o
print_r( $_GET );0 Q7 a7 G& P+ G# h" E2 M
print_r( $_POST );
) n% o+ z/ P# V0 u$ A8 P* m" Rprint_r( $_FILES );7 h: U+ W' L% |. Y
7 C- H% E& k* K$ n; H+ ]3 _6 h
print_r( $GLOBALS );' _2 ]( ~9 C2 B! j% @& x9 P8 L* j. O
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );9 S( w( ? `9 K' I7 k
1 w1 J- N6 ]; U& y1 ^0 f. I; k0 V, g*/
6 {4 u. [/ J9 h+ g// default path for the image to be stored //4 h4 o" U( }2 t" e' x! ~
$default_path = '../tmp-upload-images/';9 T$ D, O2 o" U9 g* x' h; I1 l
4 F, O8 Z! m1 B: I1 |; m
if (!file_exists($default_path)) mkdir($default_path, 0777, true);! Y# B1 E' b& L/ s" O3 v/ c% C0 O
, W6 {% x! J8 Y2 R' R& }/ ? _$ }
// full path to the saved image including filename //
% b* I1 K5 q0 K9 b# ~ w1 W$destination = $default_path . basename( $_GET[ 'name' ] );
! q5 x: I' T3 a( s8 F5 ^0 H f8 v! S- `, T: x5 e4 K4 N
echo 'Saving your image to: '. $destination;
9 E: D$ S/ X; X/ b& F% e0 y// print_r( $_POST );' g# |7 R2 d0 l6 p& Y! F+ U# ?" T
// print_r( $_SERVER );
4 U$ b% G, k1 H" k8 [2 a3 T// echo $HTTP_RAW_POST_DATA;
' |. o' D' M: ~* M' H* |& a1 i
2 v& j; s, r2 H, ^- k7 ?//
4 Q/ K- k0 n3 i% y* ^$ v// POST data is usually string data, but we are passing a RAW .png$ d% t) ~1 U s
// so PHP is a bit confused and $_POST is empty. But it has saved
( y! [* ?3 f- r: I6 Y3 u6 @6 O// the raw bits into $HTTP_RAW_POST_DATA6 ~( j3 d% r5 g- ?
//- V# Z$ ]% T7 e6 Q
( t: c' ~9 {6 H/ m/ C/ `- L+ h* m( B$jfh = fopen($destination, 'w') or die("can't open file");
: y+ K4 Z0 \9 L) Rfwrite($jfh, $HTTP_RAW_POST_DATA);
5 L# t r \7 C* z0 k* j/ q% _fclose($jfh);/ D" F# ?' Y3 @
# p: X. D4 e7 ^& `$ L//
3 n& {3 v" I+ I' y3 X7 S3 P# p// LOOK:
2 Y7 H/ ]# h0 s6 @- a//4 ^! Y! u4 e: `2 }* d2 w! I( c N, t
exit();. g1 T' K; Y8 B' d E' k) K. H
//7 z4 W. z2 V/ Y( y9 z
// PHP5:
' x# _6 T% I; F% G//
$ d! U2 \, }9 x- @5 ~3 ~! p1 U
+ M# E' f6 g# K
. y/ ^5 k* F# b$ { `- L, S; T// default path for the image to be stored //3 H6 A2 \; x- r- s( X8 Y% G+ P
$default_path = 'tmp-upload-images/';
/ G6 |; f1 _) s+ s+ Q8 S( i. J. u1 F9 }2 A
if (!file_exists($default_path)) mkdir($default_path, 0777, true);0 Z( ^6 Z& W% V" O1 n+ g2 X
9 {8 O/ p) H- c
// full path to the saved image including filename /// ]# k i6 ]( {! g$ U' Q7 O: \
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); 1 H" W# x) C5 ?6 T* }
6 J$ ?% ~3 L; N) z2 Y9 b
// move the image into the specified directory //6 X. o, j9 v% \ `7 H( H( K! n( y: n
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
6 e4 [- n9 q) S9 N. @ echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";8 F) a$ E) ], F3 N/ a6 ]' W3 H
} else {; y/ x, y: u% D8 b2 z4 M
echo "FILE UPLOAD FAILED";6 M! i5 s' `; f* I" x
}8 R/ N$ b8 N h9 u% y! L1 H* m
% J- E0 ~9 H' l
! z; O$ z/ z0 d$ J; ]8 Z J?>( B# A- Q# j* _1 m% X- b
1 ^7 q$ J: X7 o0 S: ]+ R
( }/ j+ _& m8 n9 u0 X; x
' W3 l u& u! _( F3 B: R4 m! M/ f$ @9 A' ~( {
[" G( P$ j! H# D. V* |
; l, n2 [. {5 u* b. ?修复方案: * c7 }; i9 l3 d
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 4 k8 ^4 l/ `4 R- B% W4 ~
# [- i c8 g3 J1 @6 \4 O% L
7 a: g' N& @ H5 a j( f( @+ V; Q
$ \/ [! L& U. {; ]% K
0 f4 f' i1 K7 n( a |
发表于 2013-2-23 12:38:58
收藏
支持
反对