POST 数据漏洞文件执行任意后缀文件保存: B$ {8 P4 U, ^; z" y
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
* ~* Q6 I" j4 M$ ?1 J# J9 } Y' x' s, k8 D: p3 w; C' T* u, c
利用:! h& K4 Q$ N% r5 ? Z& }
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名# ^3 B! B7 q. V1 v; n2 [# R
4 {+ `1 j m$ k& {; E
Post任意数据
4 e2 H. ]( f/ V6 i1 i- E2 r保存位置http://localhost/chart/tmp-upload-images/hfy.php5 O3 w3 T4 z% U( {# }
' w9 u# W) H% Q j. D2 d
+ Q' h. ^, i6 ~4 n; m0 a最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
$ j3 s0 J3 L ^8 V5 Z8 z$ d+ X# D9 h1 j' i- J
<?php
( a) y* Z; R* V2 p3 G5 q- |# j0 X) ^! T8 N k- E4 E' ^( A: \
//0 l/ ?) F9 n/ \, }1 g
// In Open Flash Chart -> save_image debug mode, you
. {4 J% s( R& Z! G$ d// will see the 'echo' text in a new window.
7 V+ j: i/ E/ q; H//8 A3 I* f" w4 R5 Q4 E: f% ^
% W3 F/ Y* N9 w( }$ m+ \' H+ y
/*
; ?9 p" q8 x, K( j7 ~: Z) p
4 f6 V5 b* O1 Qprint_r( $_GET );
$ Y* ^* [1 D! H6 Gprint_r( $_POST );
6 q& g4 t+ S- |! X& K' `' sprint_r( $_FILES );
; T$ m/ y5 R; o
2 N3 { t( S% r' cprint_r( $GLOBALS );
( J2 J6 @3 j$ Aprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );- F |; g% z: _' C: D( o
" N. ]0 ]8 o! B1 |# q*/% ]3 u$ }3 k, \6 N( |3 r
// default path for the image to be stored //
( Y$ g5 q$ C. S$default_path = '../tmp-upload-images/';
7 i7 y6 w( ]( m+ y* w* a
! w" R9 o7 k- ^if (!file_exists($default_path)) mkdir($default_path, 0777, true);8 E& ~" z6 W* p: D5 { B
! m1 `( {& u5 u& J6 \// full path to the saved image including filename //
1 P' c) j, T* ~$destination = $default_path . basename( $_GET[ 'name' ] ); 4 p* q0 ^5 V4 q9 _! h# L$ L z
. a0 p7 o- S% ]1 I3 B; ]3 ~echo 'Saving your image to: '. $destination;; v! k( `; i1 G& W4 R* M% c
// print_r( $_POST );6 }* r/ f5 n8 l$ U' ?/ ~
// print_r( $_SERVER );$ C6 p B/ G' u5 f
// echo $HTTP_RAW_POST_DATA;
: _2 d% C$ C8 E3 K1 B. W* ~9 Z: p, k4 r* S/ |' [3 x
//4 C+ z/ S; w- s, j5 }
// POST data is usually string data, but we are passing a RAW .png
0 j" T# |+ j, q6 o// so PHP is a bit confused and $_POST is empty. But it has saved
) u. ]- ?8 K& z9 Y7 X. X// the raw bits into $HTTP_RAW_POST_DATA+ d* B2 d7 [; e
//
, i( l+ A& r4 n0 q. z- H4 ^
6 U- J- x; @, Z9 Q- i8 h# l$jfh = fopen($destination, 'w') or die("can't open file");
8 T9 l/ r2 Y; ~8 Mfwrite($jfh, $HTTP_RAW_POST_DATA);
' m5 Y/ H: Q1 X5 dfclose($jfh);( a+ n9 p0 h. ~/ e
. m. \+ z E0 a6 o, f9 \4 D
//2 _ P7 I& Z$ @7 y. d% f. Y
// LOOK:/ U3 N) `9 T; m1 x e8 x& U
//
; C; s! @) h, U2 f2 |2 w' r1 Cexit();! J# W+ u7 Z ^1 R* A2 E8 I' B
//( }1 z7 y. n, }) C f3 h' s
// PHP5:
) a7 O' o9 b4 U2 g% C2 W- l//0 A' p: L4 ^ l8 F5 d
0 G M! H5 V- j* M
4 y. i# q; u0 ?- @; S
// default path for the image to be stored //2 S4 ~8 m2 j6 Y' _
$default_path = 'tmp-upload-images/';/ |6 W& L6 G& U
! j$ h: y- Y1 Y- vif (!file_exists($default_path)) mkdir($default_path, 0777, true);4 B" q, [! \- L: {, |* f
; l/ N# I7 |' s8 u# p2 Z// full path to the saved image including filename //+ ?" d* A* n$ G+ S5 X! i$ n
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
% b" |, W% Q6 j8 q! w
8 o* n, ]2 ~0 ^' P// move the image into the specified directory //- r$ y1 I3 g6 n, o1 b2 X
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
6 x* p j* X. k. r7 } echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";: b$ u3 ^% X8 n, u5 K0 D" S
} else {8 {1 \" [) ^' i: ]- k+ `
echo "FILE UPLOAD FAILED";
/ y' ]$ E+ v. [6 G. u}, r& v% V! R# O: Y; }. ^/ W$ s* D& j
, j% H9 t3 o0 h* m; i
. |6 T; b7 `. j5 N- L$ C3 c1 [3 w?>, N+ M- R1 n) K. D1 f+ K& T# y
2 a0 z8 G: [: S' \5 U$ x
# O1 y) Y/ x: Z) \
, r: \' n" w1 m' _! x' `2 G+ k9 l
5 `; Q" `2 V/ H
1 j% y6 c [, d9 ]$ y3 D* u& i# g5 |3 l, w5 N& c8 `
修复方案:
2 r" R2 |6 k. t5 V9 g这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 6 {7 ]# z. d; @5 ]5 X
2 O, x) [4 T3 m0 \4 m1 a
- G! f$ D' M. H( w2 Y$ x# U# b' ^+ Z. x3 N5 g3 E% n. R) x
) R% `$ r1 m, g8 q3 C- _* p
|
发表于 2013-2-23 12:38:58
收藏
分享
支持
反对