POST 数据漏洞文件执行任意后缀文件保存
/ x# A' y3 @0 T6 n 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
6 u( k& E5 P1 R3 N) v5 \& ^% e5 f: f/ E* Y+ x5 T
利用:, c7 ]+ j( Y" }7 P
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
7 ^: k# @; B" X7 i" ]3 a
4 p1 ~" l- `- w! W3 kPost任意数据1 w. Q6 ?; u. h$ [2 [+ E9 @/ n
保存位置http://localhost/chart/tmp-upload-images/hfy.php
@. B% z. w; k
" I4 @! V+ a }7 {( q( f) E, n; N, E
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~- Q, F- G' G) w
# a0 L M% y3 j1 J" i<?php9 @9 W1 o6 e$ O$ V3 V K
8 q2 W! ^1 H: J( ^0 ^) k" h
//7 N3 w9 O7 A6 g( a1 o; |, O+ q
// In Open Flash Chart -> save_image debug mode, you
( b; \- o* z H# ~; g6 V// will see the 'echo' text in a new window.
' t$ B; ^" y2 @# u" a* t! j, V//
4 D! ?4 \0 K; D) Q! w
6 t# }( ?% s5 F# F2 }: X0 m/*0 f( |2 q% f2 [- D; P" G3 K" H! R& t
) ?4 ?; l3 W: R& A- ?8 `: ]" I- Y5 Lprint_r( $_GET );
! D- F# e$ w( Jprint_r( $_POST );! H1 z0 @. V, V# W% v: A
print_r( $_FILES );
6 |3 [+ c* `$ N/ L; k0 w5 ^: e) M0 Z4 a* {
print_r( $GLOBALS );
' w, M, X7 S+ ^: r( M4 nprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
( v) V8 y# ]# D: ]8 x; {- l O/ e) K3 ~2 q$ H0 _ O
*/
1 T6 b) Y, ]3 p2 U% s1 R// default path for the image to be stored //8 \8 w; U3 T4 g& b/ A( g
$default_path = '../tmp-upload-images/';) y: e7 e' p' s q. d
9 R) F8 x! |4 q; g; ]
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
: Y, `& _1 U! t( B* V+ V" c% z5 M/ O5 x9 p: ~
// full path to the saved image including filename //
9 M; T5 h7 ?" E% S3 o7 z0 d7 m$destination = $default_path . basename( $_GET[ 'name' ] );
6 O% p0 c) g6 t# K. c# ]
' c+ M1 U/ S9 k& O" ]4 n becho 'Saving your image to: '. $destination;
: [. g* x0 f6 s7 X6 H9 _7 R: ` r8 Y// print_r( $_POST );& @# _1 R4 o1 `, T# m
// print_r( $_SERVER );
# e2 ^1 i5 V0 [/ z5 D// echo $HTTP_RAW_POST_DATA;
9 I5 d" R# ~; t1 k6 v, p
% E9 l; o) M9 A9 t$ I//
/ x9 _/ F# y, q( h+ I0 J, d& G// POST data is usually string data, but we are passing a RAW .png
}5 h' j- |, {( r* V& M& U// so PHP is a bit confused and $_POST is empty. But it has saved
, F+ f; v1 V4 n! A- `// the raw bits into $HTTP_RAW_POST_DATA
5 J. r+ b- O- h//
: q% P' B n, g' ?, Q* \+ R2 d0 {0 s( }4 C/ X9 s8 z# ^
$jfh = fopen($destination, 'w') or die("can't open file");
: W0 d5 L7 I% M- ^; I3 lfwrite($jfh, $HTTP_RAW_POST_DATA);* D/ _. g) }5 Z8 T7 N; n
fclose($jfh);$ L3 b& w! x; L' k1 P. y
; U$ Y1 U9 J- }5 ~+ U//! A' Z& P5 k3 y: F1 {! g1 O1 |/ B
// LOOK:
' Z O# N: {- d//
& @- B- k7 M( R8 y# mexit(); {+ ^! _6 t) r3 b& [
//( C: o$ D6 H3 E$ ~2 h* F" E
// PHP5:) U. C, m& ?- N4 O2 O- g
// v& m9 H: M4 ~# W6 {% ]1 L3 a
+ Q+ G( } n) X
+ T, g5 e* N% j( `0 E% H// default path for the image to be stored //
/ a! Y/ P5 J' |+ H$default_path = 'tmp-upload-images/';
! o. b8 p5 ]* R& ^' z; }) W; _: w, _4 p2 h6 G
if (!file_exists($default_path)) mkdir($default_path, 0777, true);0 ^$ N* _/ i. j- I) Y2 R
3 P8 f) i5 S' U# z: i" }" u# t5 |
// full path to the saved image including filename //* x& A( o$ C B' i0 T
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ( |* w- {, L7 f$ H: y; j6 C
4 I, H& S9 U& X" z// move the image into the specified directory //* t" V8 s$ N% c
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
. t4 k$ J! c( m echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
. Z2 s; t5 Q4 [7 k} else {
" ~- v8 _' s: J echo "FILE UPLOAD FAILED";
/ F) |; [/ U; u3 Z" a" b& }9 A9 C}
" P6 e% x4 S3 ?2 U' U; C, H7 J
' a8 E6 a) P( ]5 r, Y R! j
# R( G- Y+ R' ]: U& z?>
- m; ~1 N5 r. u- ]! D. f
1 b8 T- z& g! K
/ ?) l ], J9 t. f- a
5 L% n$ H9 _( S- p) K! A/ j6 {/ a* D" Q( H% E, h
6 p! U, O e9 Q2 D
2 w' j$ G6 s9 P5 G修复方案:
- [! m, P5 O4 e' T' o7 t8 Z/ k7 }这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
: Q1 j2 f$ j7 `4 p# w1 \
4 ]$ k1 x/ d8 g: s: B0 q! U) L! r8 `& u
6 g" l) R9 z' T# x- z" \/ h; U
6 |; u3 x5 D8 b8 Y7 E5 [, \: ] |
发表于 2013-2-23 12:38:58
收藏
支持
反对