POST 数据漏洞文件执行任意后缀文件保存* I' x7 K! q' d1 @# S4 }. L
漏洞文件/chart/php-ofc-library/ofc_upload_image.php9 w( B* o# d# I% v, a
" v3 H d! g2 c% q
利用:
4 l; J. K1 P- [: \; \8 G% k& x6 r/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名% N4 Z% T7 l O1 g& H
( _; m7 J0 p: v: l4 b, w
Post任意数据" q: M! g6 O) ~4 x% I, W6 }: M
保存位置http://localhost/chart/tmp-upload-images/hfy.php" i0 ^7 O6 q6 `, f7 v& |# ]
) w6 h2 X/ G9 [: |+ A& Y% l
6 [ \& A: B1 ~: {- R6 l# v1 t最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~1 w( x" R9 i6 r0 C$ \) v
' U& Q7 @4 Z' e9 B# _
<?php) s5 p4 D8 J2 f, ~2 ~# j
) ?* u: H" f4 _( Y' e; k& r2 ^//" B1 |$ d+ f$ ?9 H0 ]. V- B
// In Open Flash Chart -> save_image debug mode, you
& `2 [( a* h: x/ Z// will see the 'echo' text in a new window.2 K6 h& F# y- R: N; B- C+ Z
//9 b9 a& J! W7 ~8 z1 X0 s0 a
& M8 x4 d4 Z8 g$ v
/*8 v" |: m- T* p9 }
1 p+ v$ _/ H% ~1 D
print_r( $_GET );# N- q# I4 d3 }1 G; g
print_r( $_POST );
% ]* L+ }! K t$ D6 j" m# a3 f) Eprint_r( $_FILES );
( d( o. ?4 g" f3 n- o
% Z$ O! V6 D* o& j% xprint_r( $GLOBALS );7 q5 I& Z1 b: w, \% h+ W
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );! m0 _ z4 t* n* t: }5 E! r
1 I9 |3 s2 j* k* h*/) V1 f* o+ j( y1 i! t5 M
// default path for the image to be stored //8 c b" w6 ]8 K2 h' ~5 j3 G
$default_path = '../tmp-upload-images/';9 L0 c2 {+ _# X3 x( B7 D
: a1 {/ I3 D2 X5 nif (!file_exists($default_path)) mkdir($default_path, 0777, true);
# [( o2 h$ H3 z- V
5 N$ [+ ]7 f5 I3 ?8 U// full path to the saved image including filename //: V7 k7 Y1 o- u% |( c1 d9 A
$destination = $default_path . basename( $_GET[ 'name' ] );
( D! W: L& v$ c. w
' m6 m) c3 [1 ~$ cecho 'Saving your image to: '. $destination;
! w) Z) N# M- P L// print_r( $_POST );
3 {! x* v7 @0 Y4 L* D1 [- E" x3 h// print_r( $_SERVER );
' ]2 M/ H3 J7 X& A ^// echo $HTTP_RAW_POST_DATA;6 w% V, T4 ~) B; H5 X4 I8 V
) Z+ V6 G2 K# `& M/ T9 R8 u
//2 {7 N S, C% V N
// POST data is usually string data, but we are passing a RAW .png$ x d: i4 q9 G9 @" q2 U
// so PHP is a bit confused and $_POST is empty. But it has saved
+ L2 B8 f; e1 J' x% c% x( _3 T// the raw bits into $HTTP_RAW_POST_DATA4 ?/ ?" R' _& D
//2 V; h" S, G1 @- ?
9 N5 N/ f9 w0 V# Z. O7 ]9 [/ b
$jfh = fopen($destination, 'w') or die("can't open file");
) i% O* d$ W1 j t% qfwrite($jfh, $HTTP_RAW_POST_DATA);2 \4 T3 D+ X e; A' D
fclose($jfh);; L9 J+ n" i# s5 y/ a% c1 ]/ Q
! p# F! B' Q# r" B& h1 W//) b! A4 N9 K+ N+ Z% w6 [, O
// LOOK:. z: \% T! Z+ P% D/ ^
//
( Z i- X2 b) R `/ P' |1 ^& eexit();
) M3 V4 N! i, m( b6 _' w8 z//2 V4 P+ k7 F* i3 ]' ~& @
// PHP5:* b; ?& {! h! i |
/// g) v6 ]. R' a7 g
2 J7 E2 C0 k7 ?/ {& v3 h
3 w: T5 R: K# A2 x// default path for the image to be stored //
Q5 |4 h n8 B- R+ D( r$default_path = 'tmp-upload-images/';" {; {4 @3 {# ~
1 F% [8 @+ n+ m
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
1 ^: Q: a( q& ^ E# ~7 v2 J1 g2 M' U& C0 w- S, I
// full path to the saved image including filename //4 ~2 B& p5 n' B
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
`) {$ F& j9 M* C% r6 @0 a. }( u. C- i2 ?" {9 A. _
// move the image into the specified directory //
5 m1 M) e3 |! T) f+ xif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {5 \& o9 z: B. o
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";8 s- y; y/ L+ K) A% Z! ^; A _" k1 G
} else {
" ~1 ? ]6 p' Y* R% N; G echo "FILE UPLOAD FAILED";
3 }% s* u- L1 H( H5 s}# d& L% i% W5 l0 ]# |0 F
3 L7 ~$ [2 T6 i( J0 F( O" C( u5 \
% b1 E; O" K- }6 F6 M- Y( L) a?>
& G: |( Q) R, Q0 F/ R) V M0 x/ m$ B5 ]; W- E" Y x
0 l, H; l$ B6 H6 W. g2 P, m |% d" E0 c# ]6 K8 y
) @ B4 I! z, I1 j/ k( W a- i- p- W' @" O) o3 j" ~' T O8 @
2 F2 P, h% s9 e- S修复方案: 9 j1 C- d: `' `3 K4 }. h, K, W- w
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
$ J2 Y1 d; k+ j- A! C' [8 Z
' i' _( a. g$ {' p7 d6 M6 D4 Q1 K3 q6 Q1 b" g C' @/ @
* E1 l: r9 ^- g8 W/ D$ j4 o" h/ {
" G" ?. s7 h9 N/ I |
发表于 2013-2-23 12:38:58
收藏
支持
反对