POST 数据漏洞文件执行任意后缀文件保存
, }# H; }7 X$ R8 j) h l 漏洞文件/chart/php-ofc-library/ofc_upload_image.php4 H" H/ ]7 [. {/ _( o: n# o1 s
" q- F! k1 c$ `9 D8 j$ z9 U利用:
' c5 F# z+ G/ o0 ~2 S- C5 {/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名0 ?; d3 T" s2 b( R8 F1 F$ x# n
* {' \0 b6 z f8 m$ ePost任意数据
) z6 i7 I* J9 z+ t3 n0 _ Y保存位置http://localhost/chart/tmp-upload-images/hfy.php; b6 k0 J7 d- c- G- h* ?
" H- h" }( M8 q0 h
! o# s8 S" s" @; {+ n最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~5 Y+ V S4 y5 M+ {4 {+ Z
8 g+ t4 U5 v2 ]+ j1 A9 E
<?php7 m! h( W* U( q; {* V8 J" z- k
0 F3 n7 s) W T4 v# l% M X
//: _% y2 Y0 O s+ @+ G* K# O& U
// In Open Flash Chart -> save_image debug mode, you' B9 F2 a! n' x$ i
// will see the 'echo' text in a new window.# J5 G ^) t+ w& _- K' X
//# |$ x) f0 c8 A
' Z! h" _9 {% c1 j; s. i/*3 I* G9 a; K" G
2 x& V! L0 v, c) Fprint_r( $_GET );
* T5 M' U3 k* h5 T( d/ Q" v: s1 Jprint_r( $_POST );
) J5 Q, {. ^7 Y$ u& C7 o$ W) gprint_r( $_FILES );+ D8 H5 n( \8 }8 U; T6 \; A. n7 u; O
% A9 |" j* j1 V: l
print_r( $GLOBALS );9 I+ w) X5 h' l& ?' g8 i" s# L
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
$ L: C7 Q! ^. e9 k
8 [. h. `. a4 Y4 i*/
, c9 q8 J$ m& ^: f' c' A9 R// default path for the image to be stored //. P/ T, j9 q- ?. F m) B, K) ^" v
$default_path = '../tmp-upload-images/';# c; ~( Y! ]0 h5 t
) c& e V( O6 F% D. {/ ]& Eif (!file_exists($default_path)) mkdir($default_path, 0777, true);& q- _& @2 ~" G2 n0 o3 X6 A) y
% e; m7 w* @+ B# g3 O
// full path to the saved image including filename //; c3 ]. J4 n& P$ D, C; o
$destination = $default_path . basename( $_GET[ 'name' ] );
: `4 V: v z: ?8 D' Y
8 G5 p( A; I6 zecho 'Saving your image to: '. $destination;5 Q9 Z: Y- B* R7 f1 H
// print_r( $_POST );
9 c R M P. p% Z// print_r( $_SERVER );
& q1 M- X5 H7 a7 n5 Z( g* ]/ y/ w// echo $HTTP_RAW_POST_DATA;
' v k9 V Z( m* l; u4 L( J/ V7 s$ E8 U8 L8 X& v8 S1 }
//
( m# E5 [( Z& ^5 R7 V9 j// POST data is usually string data, but we are passing a RAW .png
! X7 m( ]- H' h, D4 N// so PHP is a bit confused and $_POST is empty. But it has saved
* G6 V, E. w8 @- M0 t, k% K// the raw bits into $HTTP_RAW_POST_DATA
0 s7 ?2 V0 W+ D; ~" G* W" B//
' k& t' q( }+ o$ t+ R: R1 A/ W: {
$jfh = fopen($destination, 'w') or die("can't open file");
. K4 a! T, t8 o" \fwrite($jfh, $HTTP_RAW_POST_DATA);
. E9 g. u" d) ~9 @4 o; Wfclose($jfh);" W+ j' N" u6 {8 g" C' ]
0 g2 ]* T# [# d! `: b; _//
5 X- I2 W* J( A// LOOK:& D r9 ^2 z6 o( {
//
5 D# c6 ? b9 a& ^exit();
1 r8 x, _0 _9 d# L& x* S8 V//' d+ D6 X) d6 K: A* Q- Z& F
// PHP5:) f8 r% C/ h; }, k# r4 g* j' Z4 ~! \
//
. I* ^, M- a6 p
. n3 s. [+ l4 |& C1 S; p; U; Y3 O' g$ n; n5 N; W. `# P$ G
// default path for the image to be stored //* g5 K2 L8 t/ H" l1 q! l2 b( L
$default_path = 'tmp-upload-images/';3 U( m/ R7 Q) u8 C& I* N* V( r/ ?1 R1 }
: X z6 K9 X3 R8 J0 G* }
if (!file_exists($default_path)) mkdir($default_path, 0777, true);, F4 q0 O: t7 O0 r9 q
, E. Y+ g6 B. i
// full path to the saved image including filename //6 d) E3 J( _! L/ I( X
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
* B l4 u! n' e, n* k/ A
5 A* z( v4 h; k. P3 W9 B: a) n// move the image into the specified directory /// u; q" }$ ?) J0 x/ ^6 p; [4 E
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
3 X2 h' ^4 }% I( {* Z7 b- O2 n4 r echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
- i$ x/ m- Y' a. i2 `} else {
4 l4 e6 F) L( M$ u echo "FILE UPLOAD FAILED";9 g; W* N9 Q- {( `
}9 i% t- W' o+ h$ |& r/ h7 B2 Y
+ ?' K, ?* Q- \" E+ N* F& w3 d
+ Z K) B0 K9 s$ k9 t?>9 O2 b/ {# Z. X3 D. i7 ?& Z' Z' q
3 E ~: K) g5 ~
- L8 h: Z, ]. x+ w4 ]' m1 |
: C8 e: |" |0 J( A1 e; S8 F9 {
& _4 P% ]9 m' ^; C, A! f# ~ e1 M6 @/ ?; O, q4 U
7 y/ p7 R `( a# ]! l修复方案: . P1 z+ j D* D V4 h6 p
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 1 @- p1 u" m3 x9 m) }: }
; y# W' M; ~5 t
6 `' T4 e2 u' I. m/ e2 [& n. V
/ W t7 \1 t! }: h# c. ]; |% H9 C) \2 n0 A; p* D4 ?6 l8 d
|
发表于 2013-2-23 12:38:58
收藏
支持
反对