POST 数据漏洞文件执行任意后缀文件保存
0 ~$ l1 g! b `& Q 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
) @7 e0 x9 j$ {6 k+ m. v( j0 w' \" t6 n- [5 W7 z
利用:6 `+ W0 P* C3 L
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
5 w. s S4 H! ?3 S9 \ F
2 [% O0 S! ]+ \9 KPost任意数据
- v$ X% N: r. A" _* D( C保存位置http://localhost/chart/tmp-upload-images/hfy.php
* _4 g& w K8 t+ W% h8 D
% i& W/ p6 B* s7 z! q" d
1 p( K0 W: `5 c9 r最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
' \2 D' |9 m9 g7 J, e7 d4 Y/ G2 h# T+ S+ `9 b! R+ B' ?
<?php
- v" B- x4 _* y2 d
1 }* ~# W1 r) E% k# c$ G4 @//& ]6 | |$ I- a9 ~( V* E
// In Open Flash Chart -> save_image debug mode, you" k% I5 a6 g8 e4 k2 M
// will see the 'echo' text in a new window.4 A9 l5 q1 K4 B. Z$ X1 X
//
" }% g, s- q1 o$ j$ X# _9 @& d3 L, S9 D' f* r$ w
/* O+ r: c7 `* w- P; b
. y5 y, B; b* _& ]5 D# ]
print_r( $_GET );. T4 X& a0 k) ^' g
print_r( $_POST );4 T4 w5 s" @0 Z
print_r( $_FILES );
& K; L' l8 U* Q) L o: U& s p/ ~* ~1 Q3 G" D
print_r( $GLOBALS );" J+ }2 [* Q) y+ g. C
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );' a& P4 A) a1 m% R1 I( U* x( ]
+ V* U0 V2 Z4 Y6 r9 a, g1 {*/7 S F0 w9 z% y: p `6 E* U
// default path for the image to be stored // C+ w8 L; m. x# a/ M6 ~$ y. Z
$default_path = '../tmp-upload-images/';+ P6 J8 n! {) b3 {4 m2 C0 s z
( M: V* ]1 f8 c# W% J
if (!file_exists($default_path)) mkdir($default_path, 0777, true); C& v5 V' F- N. E
9 j+ b+ K* E) W+ L9 c! M
// full path to the saved image including filename //+ {2 t; K* T4 V( A! g
$destination = $default_path . basename( $_GET[ 'name' ] ); 4 w: i3 ~) S; }% V, \6 p7 W, D
2 X" } l; Z; v
echo 'Saving your image to: '. $destination;/ J6 U# ]" X0 P' z6 z7 m
// print_r( $_POST );' Z, M8 w, ^( r: _9 O# q
// print_r( $_SERVER );
8 D) B& s8 L% q/ s// echo $HTTP_RAW_POST_DATA;
, l4 d9 w) y% p- Q3 R; i, q! T$ {+ A3 h2 g- ~/ l3 v+ D/ `# J" y9 V8 l
//
0 B3 t* ^% e7 P, _// POST data is usually string data, but we are passing a RAW .png
! T0 b$ g" [ s// so PHP is a bit confused and $_POST is empty. But it has saved" i: b! s* z w* f
// the raw bits into $HTTP_RAW_POST_DATA
# D' u( I0 A" s" \9 R0 b; B//5 l& }3 v+ K8 Y' D: O
0 ?9 M9 y( F; C5 \$jfh = fopen($destination, 'w') or die("can't open file");
+ M' ?* p0 ^+ T- {5 W% P' K9 B! A8 Zfwrite($jfh, $HTTP_RAW_POST_DATA);
- h* ?1 l! x% ]fclose($jfh);6 T6 G7 f. s; O6 [( ?. \( y
! c3 X9 o) V, l* W B6 K//0 \* z. X0 M- K, L
// LOOK:
1 v. q: _7 F0 b$ R9 v: T! A0 V* I+ ~//
8 O5 E6 f2 s7 s" {exit();
6 t) T# y& {) q( L) }* [9 |//% c0 h. {3 v8 H7 B! X' z
// PHP5:8 M0 P- M0 d7 [4 S6 o/ a
//
! V9 S: Q/ W4 e8 G( Y2 y4 m" q' e% l
# @. I4 G- \1 o; ]. x2 D( P
2 j: a& s# Q) L# P// default path for the image to be stored //: j" y# I- P* T4 v9 v
$default_path = 'tmp-upload-images/';
6 Q: }1 ?" b( ^) b6 i
6 r. G* t9 \( j2 yif (!file_exists($default_path)) mkdir($default_path, 0777, true);7 ], X; ]1 r) T0 N* l( R1 f M: O4 r, ~
# {5 F# `, r- y2 }% V9 |// full path to the saved image including filename //( d$ S7 n0 ^- @% V$ d+ G
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
8 F p0 h2 M2 h. O5 Z* W; s* j& p7 m1 p2 i2 x6 g/ A8 z P0 Y
// move the image into the specified directory //
8 p9 k( q% h3 I& ~8 ?7 {if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
5 B/ L0 ^! @! ^8 g; J: R6 N" F echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
1 {9 I) m1 Y5 q o4 m3 y; e1 _} else {
M3 f D( i- b% l m; Z" Z, a3 | echo "FILE UPLOAD FAILED";
+ C9 ~$ X# j+ B! Z5 B}- B3 x8 Q9 w8 y0 t
" t6 r9 ~$ k$ f. H% Y- ^* f; }5 c2 f& r2 V' P
?>$ @8 J* g! e# F) P2 O% E
; f9 H. F# k, v: T- E+ J1 R+ ^: d+ G* E) Z# A
9 z! J' h/ {# n- H* v! c+ H: G
* r! @; Y! u. b4 A+ _, `4 X
; z% p% P7 p: S; f7 A# j
/ q! g0 o! \8 q2 U! P" A, I修复方案: ) u& ^1 r) a& s9 w8 x& u) A3 G M
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
( l8 m) f4 T5 l' q2 O( f1 v2 B( m9 h, F: P
& b! @. |% q" q# b" h1 C/ I% [2 I8 p, ]$ Y$ ^
1 G& P1 i' t. _0 Y
|
发表于 2013-2-23 12:38:58
收藏
分享
支持
反对