POST 数据漏洞文件执行任意后缀文件保存! X( j( e( ?5 W4 E0 _
漏洞文件/chart/php-ofc-library/ofc_upload_image.php K5 \3 n$ P3 @
& s/ o( y* G: |+ p% v
利用:' p& A! O/ `* C3 F, Z- ]: y! k
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名 x% a2 Z; \0 Z/ u7 T
$ p) w% k% i9 N1 A' y X/ R8 c8 MPost任意数据% D8 g7 U0 J5 k
保存位置http://localhost/chart/tmp-upload-images/hfy.php4 }/ z: M5 p3 K/ q; l$ V' G
* b+ c! q, c4 a* o- J5 a7 W/ ^
0 B& U! L% G/ \$ v* q( T
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~5 j3 J/ |# x5 h$ v
8 `+ d, f3 O1 S+ O L. {<?php* U* S7 k# U5 I# {
% ]' O2 K1 v" |9 Q: N# A: ~
//
2 Q- a( t( U4 t8 k5 k* C+ G0 m// In Open Flash Chart -> save_image debug mode, you
) B* ]) b$ n4 m V// will see the 'echo' text in a new window." d7 B. t: u1 K1 O% R: L
//
: H) S' r s) `( D1 e8 T7 ^5 D+ m; o4 L' l
/*# B7 J5 ~3 o. D& [' k1 J
) d) q4 B& c# c
print_r( $_GET );
% _7 F, J5 ?5 U; k* e! ?print_r( $_POST );
1 G# h' h- d) d9 Qprint_r( $_FILES );9 {( M: Q& r5 q5 p7 [: M1 @) U
& q% o0 h4 w! |print_r( $GLOBALS );+ s/ \, ?. @4 X& H
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );2 y9 N: N( r/ k" C9 N$ ^
0 Q: e3 g3 h# e" y4 ?9 ~*/
; h+ Q$ }( N! [4 w4 w/ p( P// default path for the image to be stored //
8 V8 ]- V4 T# }8 J$ H3 \+ {4 t$default_path = '../tmp-upload-images/';( d/ T/ a# H. D$ t0 f, z! T# @
4 L" [6 l. i1 v2 X* K9 h( @
if (!file_exists($default_path)) mkdir($default_path, 0777, true);2 J8 M3 K; e2 q" g) K
0 ^# b9 n+ }% ^
// full path to the saved image including filename //
@3 M& Y3 Y3 W$destination = $default_path . basename( $_GET[ 'name' ] );
# W. ]8 u/ \$ u! v
+ B/ j7 S0 m- s( Iecho 'Saving your image to: '. $destination;6 G, Y% u; u! D3 t& y
// print_r( $_POST );: O7 @- f% S2 E( Y
// print_r( $_SERVER );
) _8 u! U1 a& I b# ]3 `1 ]// echo $HTTP_RAW_POST_DATA;
* Z$ t2 N: }3 H+ F& y0 Y7 B" l' |. N) i# T/ s+ l+ e
//! A9 l9 u2 ~; Q
// POST data is usually string data, but we are passing a RAW .png7 {, j! y. C9 i0 k) I7 }0 N$ L
// so PHP is a bit confused and $_POST is empty. But it has saved
% a r3 f: E" e3 ]// the raw bits into $HTTP_RAW_POST_DATA
( C7 b/ Q2 c4 |) @% G: [//# l' T: P( s4 ^) s( W4 K
& t9 p9 N/ ?% r, ~
$jfh = fopen($destination, 'w') or die("can't open file");
/ n2 r% f. V% M8 K' p7 Ofwrite($jfh, $HTTP_RAW_POST_DATA);
: N2 [1 N( L2 K2 ffclose($jfh);
# ~, O# T+ u" x. E% A
7 W1 k4 ~' }5 X+ R& i//
8 }0 x1 N7 D9 z; z( `- m// LOOK:
2 Z) L1 M- N7 B//
& ]5 m1 D# Q' S9 C( G! d, y( Mexit();" C- M+ ?5 E% t, m# s& p
//
! _8 z' F( I7 N5 x" t// PHP5:
8 N) A6 L# u3 D8 B//% b7 y. R/ Z: |7 K
- b/ H+ _4 ?. L( T1 z3 d
; U7 \* Y2 ], a/ x& z4 D// default path for the image to be stored //
* Q/ l! _! E" [2 S$default_path = 'tmp-upload-images/';
* }# M0 [7 y8 s! o* k+ p- [
6 m, t8 ]2 j2 wif (!file_exists($default_path)) mkdir($default_path, 0777, true);
% n5 S( K) f& V# D! f" g. W' J$ e' u6 y$ N, p: N: R. O
// full path to the saved image including filename //
9 U4 m" S, ?: k$ [/ |* I8 W$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
+ W2 M5 D$ ?1 O$ O" o3 c6 Y# `. Y5 y8 ^8 L& x
// move the image into the specified directory //
! L8 _$ ?6 c; A4 ?/ uif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {- ?0 x2 F3 {8 F( ~
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";1 Z) T5 q: A# b/ p, m
} else {
3 [! O0 i# c! H& v echo "FILE UPLOAD FAILED";6 D" R7 S" D% v* o$ g- |# {
}; B; u! w, N0 |; x* F
$ `% Z8 L9 G- f2 h, w" ]4 l9 I5 M2 Z4 A
# p- x( u4 t5 {5 P2 ^4 ^) b: W4 y?>5 \) q- C$ g1 J( o
3 f, s5 y7 K( g& |2 C9 Z5 Q d- t# \2 Q+ l! X" D5 \
1 {8 C. ] c; @2 X# Y( p7 c; z3 M* S8 e. N- b$ G# P
& O; z3 m1 [& c: l
8 {7 Q' T4 Q( o1 l/ ~# v) c |修复方案: + F8 C+ D4 g- r u" Q$ `
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
$ w- b( R q2 }( t. @8 n) g4 C( d
: }$ o% X# K; U4 U" b
9 R$ j; `6 E3 e+ C, j: i. Q, n/ h, y/ }
: j& ]2 e2 @9 \: b% {$ L |