POST 数据漏洞文件执行任意后缀文件保存
$ ]7 y9 w, B# k$ X3 N/ `& _ 漏洞文件/chart/php-ofc-library/ofc_upload_image.php7 _% k2 ?/ _' ` a; L
$ v2 w+ X, M/ c+ F6 v" @( W利用:
2 F& `9 @- j' |5 I; y/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
1 a& }3 s2 G6 s( h4 i) [, Q$ w9 a2 _& [' e, i7 d
Post任意数据' N' U/ s/ S( X+ x4 T F" h- s
保存位置http://localhost/chart/tmp-upload-images/hfy.php
& H7 G' w# e# Z v$ R8 G/ h
/ T9 ~* ]! W" ~: [& x' b; T ]- m: J' l/ z) Z3 |
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
+ M9 C. w" j5 R8 l7 ~/ l& h: d" z
; z& u9 J) F2 |5 d( Q5 B<?php
6 P2 a8 U/ ^+ Y9 q6 Y2 t7 m2 v/ m% V" H5 V* k: W: h
//
" p, H" V$ F3 r. v5 S// In Open Flash Chart -> save_image debug mode, you
1 F( |. F$ T3 j5 @: r2 X// will see the 'echo' text in a new window.
" g6 s- q0 v s+ `//9 N3 a& O) q& V: J. g1 q* @
( B( D( L( F% Q/ Y/*
- m6 K' |" s" s7 g& S2 K
+ X+ d' M) K$ v# Rprint_r( $_GET );
) i- V# e( n0 |( b; }9 w5 Rprint_r( $_POST );
: g' ]3 Z' C, q4 f/ ~- {* xprint_r( $_FILES );
, X# A2 X* [2 d+ w' H8 g2 g( P }; q% j% b! ^' n# u9 W6 B$ X
print_r( $GLOBALS );8 q2 X/ u# K! e2 e# r# o
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );$ D7 T3 g% }0 G, `8 L8 D
0 ^* T) R$ F' I( q8 N5 f- Q*/# U, F* J" {9 N! v$ _7 ~8 t
// default path for the image to be stored //
" F0 c. Z# Z; w5 Q6 g" j7 k+ e1 S$default_path = '../tmp-upload-images/';: u) \! E! ]* v9 r0 u
6 J2 g# v% F9 ?
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
* D7 Y; e3 u" [; `' _
# ^1 Y# q! k2 \3 H& O" n# w// full path to the saved image including filename //3 c9 y- x2 d6 n% z
$destination = $default_path . basename( $_GET[ 'name' ] );
+ b( w7 V4 a) @8 }2 P
5 b5 v8 G" x/ i3 {6 B( ?echo 'Saving your image to: '. $destination;( M, P5 a2 L" x# A H, l: y
// print_r( $_POST );; o0 K) ~& Z8 {
// print_r( $_SERVER );8 ~8 v& P2 d% j0 r# V: v& K
// echo $HTTP_RAW_POST_DATA;# A3 n$ r- {. p) P2 _. F+ F! w
' }& k# d! ~) _) a
//* h& Q2 ?5 [+ K9 X w8 a( v
// POST data is usually string data, but we are passing a RAW .png0 e0 R9 c+ V8 P" x7 a- p
// so PHP is a bit confused and $_POST is empty. But it has saved5 u8 t" _; P( _( G2 W# U, A% v
// the raw bits into $HTTP_RAW_POST_DATA. G5 d% H* G* K1 Y
//
% k7 o/ D/ A* u: h8 x) b7 y. I% X# F3 O( ]) c H4 H! T/ S
$jfh = fopen($destination, 'w') or die("can't open file");: s6 n( x0 ]' H9 c3 n3 z$ u
fwrite($jfh, $HTTP_RAW_POST_DATA);
8 b9 O" Y$ Y- R( P L+ |fclose($jfh);
* L" `! A6 a% @6 \9 E: F0 B2 Z4 P& x s+ Z8 Z- ^
//
* e) w! W9 n! w7 e" I: d// LOOK:
+ q: J$ c/ H( L& \//- I: x. Y# Y8 w
exit();
7 B% ^- f; C/ @% Q9 X//
! J R' y9 e5 P# t// PHP5:
* D( [# Y) o+ g: c; @6 w; i5 E0 U//
/ ]! q6 P# b% O8 Q% b
6 C" w# O0 v" ^9 p. a" u' U1 p- Z- G% i* v
// default path for the image to be stored //& ^) T- U H: {2 q0 z2 M( T
$default_path = 'tmp-upload-images/';% x! P0 m y! H- f h% |" ^
- m0 D4 V) S( |4 F' _* X& p& J
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
, `- }* y7 J! e3 e3 d7 M0 q0 ^' m1 B& l5 h# j/ a4 z' ^( n
// full path to the saved image including filename //5 b4 ?& i, K* N
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
* v9 E F! D- b2 q( J8 m6 }
; C5 C& H$ l0 J7 E7 I8 q2 G// move the image into the specified directory //
1 x4 m& B: Z0 K, {if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
3 ]7 V ~5 y/ I" t% ~7 e5 M, | echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";8 n- A* ~% p6 a" c5 R% f/ @
} else {
; |& z7 e6 a, I! w3 ^" m echo "FILE UPLOAD FAILED";
6 g7 e+ `8 j/ H) m3 {}
' A( ?* a" A1 D u# P1 w
8 |' H# i5 w1 @; e! h! v4 W {
/ T5 J1 [4 D4 c# X( q?>
2 t( B, [" v9 ^0 r" ], p* N) j9 t7 N+ h* I) u# |
, m( l: V% N( ^5 ?% g- ?7 q- w6 n7 \1 L0 [1 Z i' R, G) ?
: {$ x4 c7 w! @& H* X( ~* L& u
: M/ U0 `: |+ }1 O9 o$ Y
3 p( W4 P; K. Z/ m! K$ t& @修复方案: 9 A6 Y) V a3 @* S# ?0 G+ d, C: B. u
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 # [2 B% @- c3 i* e% O2 C3 T% X2 N
$ R; B) P6 f+ S) y7 M- q y
; P, `; p, x# n( R( w
" e6 c9 j) G0 A: ~6 u
3 ]# [; U- x" D/ o) W |
发表于 2013-2-23 12:38:58
收藏
支持
反对