POST 数据漏洞文件执行任意后缀文件保存
5 @/ X) D* u( q9 C 漏洞文件/chart/php-ofc-library/ofc_upload_image.php. g7 Z: c( r# y9 \
& x: B4 e- P6 W& N3 g8 ~利用:
; O. u9 s0 J& T/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名: w. w7 z. O4 ~5 f
2 F; n' s/ ~1 J1 v" Q8 v
Post任意数据) `! O- l# e: @) ~
保存位置http://localhost/chart/tmp-upload-images/hfy.php
3 u# E; y0 y. K6 T. k1 S6 u
" \( e2 f) K2 a+ m
) a3 B; R/ h5 x* S! l! X最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~" P. E$ | m8 r3 ]
& t( t: t5 d! C& `5 j; k
<?php4 x5 R$ r; s% U# b
2 ?0 I2 I2 _1 u$ |! F0 p
//8 U8 N5 b: x" k8 X* F
// In Open Flash Chart -> save_image debug mode, you& u( c5 g) b" T- H1 f% m5 n9 w
// will see the 'echo' text in a new window.
: v2 x# ^8 O9 O0 S5 s! u6 z1 p4 w//0 n _* m+ c0 w2 ^2 k- H
- D: A! Z9 l2 W6 N% V: D5 E
/*
2 G+ q/ ]! h( V4 l+ d1 N) ~5 T$ m' Y4 [' f- t
print_r( $_GET );
$ ~# [- I# ? v: [. H6 zprint_r( $_POST );
& \9 O* z: G$ ?# a* g2 ]print_r( $_FILES );) S3 V# O7 N/ E; A I4 N
\ W/ e8 K$ d2 F9 Bprint_r( $GLOBALS );# ?/ q: j) C/ H" y! p) w, }
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );; |% G1 X+ C& G8 R, c
8 T0 A/ P7 ]; t) n7 \
*/: [+ b% J0 {0 g. s8 l) q- r7 o' G
// default path for the image to be stored //
+ x4 ~+ z' Y9 d D; u( E$default_path = '../tmp-upload-images/';6 f9 C X4 g$ `1 }" H
) p" ^7 ]5 l, m( v9 [! d2 Iif (!file_exists($default_path)) mkdir($default_path, 0777, true);4 q* _' m. q/ n `+ I. ] }
' q7 M$ ~0 o* f$ G
// full path to the saved image including filename //+ y1 K; H8 ]2 v+ x
$destination = $default_path . basename( $_GET[ 'name' ] ); 6 t M& y4 s/ C+ w2 p- w
, i! A/ J; f) _3 t
echo 'Saving your image to: '. $destination;
. Q! f3 d! N9 W/ y% D// print_r( $_POST );
3 t, t! j+ A- \! v// print_r( $_SERVER );$ `2 C F, p( z' }4 q# U4 m
// echo $HTTP_RAW_POST_DATA;
' X+ J% F }2 a2 `$ g ]4 A% Y* W; w3 j8 l' [! j
//2 o: u: j }2 P2 G
// POST data is usually string data, but we are passing a RAW .png, [- h( g6 H1 O% x6 e2 u! E. @4 C% v
// so PHP is a bit confused and $_POST is empty. But it has saved
$ V7 ~" I+ c0 l// the raw bits into $HTTP_RAW_POST_DATA
/ _; `, T% M; u5 T# a7 _//
4 [2 j7 m5 Z& |& e1 O' q9 O/ F+ R& g$ b
$jfh = fopen($destination, 'w') or die("can't open file");8 n0 w/ Z/ ?' D& ^! m8 |! U8 u7 N
fwrite($jfh, $HTTP_RAW_POST_DATA);- ^3 Q5 V( O# ~* J
fclose($jfh);& D; L1 y" a `8 g# K! R
# H$ d& F& Q! d+ L4 N6 [// d' L+ B$ a; r/ [) o
// LOOK:
% G3 W( k! x. n/ B// U1 z8 [: r' ]5 o2 h2 N
exit();; d) ~2 O. x4 s W" Y% P3 x$ I
//
8 S8 _4 W% K- Z# u: S( q( V9 G+ y z// PHP5:! z3 p3 [$ V4 z' Z W
//1 ~( t3 X! A$ q+ P; H& S
+ v: `+ f- @4 F& G2 L2 G* x
. Y# \7 s$ U: ?% ~9 x4 ^( D7 h// default path for the image to be stored //1 d$ P/ N. ]6 J' ~
$default_path = 'tmp-upload-images/';
" I$ `' Y! @ n$ y. r! {1 p- p" g0 ?3 \0 E' S+ R9 k
if (!file_exists($default_path)) mkdir($default_path, 0777, true);- f4 v9 b- a# {, a* V
+ j+ Q) o% o9 |+ R0 d
// full path to the saved image including filename //
4 R* H% z/ f! d) O- W$ b$ M$ x$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
) v5 U3 G8 A/ P( T# n4 Q9 t6 n! E+ g/ {4 Q y$ @
// move the image into the specified directory //9 f. S0 u# K. ?# [
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
: J/ r, w6 f. ~ echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";+ x1 a7 U/ K* m8 {. m0 E
} else {
% I3 o; {2 P$ a# Z6 D echo "FILE UPLOAD FAILED"; u" F, z1 I0 T% o
}5 [- B/ X1 V4 u V5 u
* K& d1 {* U5 n& p' H( V3 M
. ^6 B* R$ v7 E/ b7 ]$ C
?>
+ Z" b" T" q! D1 a
, u& i C4 e; O r5 [* M5 y9 b
( Q. H; W# d7 D6 p3 `/ `: w; t% p3 R
* J, \& a1 P: }8 e$ v
# U: }! W3 p% O6 U" l+ h
" q C5 N& H/ J' P& X! _3 D( v修复方案: ' @: r! H* E+ s7 F
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 ; ~; y# @4 u+ N
. W$ G0 R/ U! Q* k" x5 U9 F0 _
: x( G$ n V9 N# l! D3 U
- H2 E1 n) _9 E
, F& ?, j7 c+ Y: f* A# Q: O: F# L
|
发表于 2013-2-23 12:38:58
收藏
支持
反对