POST 数据漏洞文件执行任意后缀文件保存
9 J% v1 P7 I$ L' X- w. i$ o 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
$ B6 G* s! B [( F4 U3 _3 |/ y. G! e+ j/ O
利用:- t+ v- k1 o- o& C# H" K
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
# m) V! x8 k0 M2 V% n4 L# |& k# h# d( ~
Post任意数据6 s, N1 N# g* ]$ O
保存位置http://localhost/chart/tmp-upload-images/hfy.php
, @% K8 Q: g) e6 C6 {9 y2 n
1 p; T+ ^, w, P! E7 M4 g/ O3 J! j& n5 [. A# }
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~. K( l. w' a' g6 z! ?" h: R9 k
- Q2 \7 y& ~! u1 v0 L7 M<?php o% C2 I; U) O6 M! x: B* `7 t9 g, g
; e4 Z# o2 ?9 b7 z Y: r3 R//
B5 X5 y* e2 E' r0 }! b0 N5 g# g// In Open Flash Chart -> save_image debug mode, you7 y( i/ I( P; W. ~- ` Z+ z; D7 I- w
// will see the 'echo' text in a new window./ o/ F. j9 B, ^+ _7 z3 ~
//1 u! ?& m% e E2 k: L% j" u9 X
# L+ z c* a# M- t
/*) q0 N# ?5 U% ~8 q i8 A/ M
+ R0 x( t' h" j, f) w; ~; Lprint_r( $_GET );" n4 {6 J' z. o6 ^9 Y3 V) c
print_r( $_POST );
" Y* j" w( Z7 {print_r( $_FILES );8 l- q8 p! K0 d
! n7 [' y3 f# t* m7 X. p( d4 Lprint_r( $GLOBALS );
/ ~+ g7 }: I5 W( `print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
5 i9 d K4 ]" j4 h) B
4 t4 e2 @% L% I*/& A+ L, o& O- `1 F0 \, m
// default path for the image to be stored //
) i- u' Y! d3 q( U2 f$default_path = '../tmp-upload-images/';; X4 G' l& ~) q# v! v
! F, b& W# N. j% z+ x
if (!file_exists($default_path)) mkdir($default_path, 0777, true);4 o0 S1 q. K: X8 |: _8 B" V
: M5 P) f: W- |$ W; i N/ H
// full path to the saved image including filename //
* \* t$ L$ R5 @$destination = $default_path . basename( $_GET[ 'name' ] ); : t9 O' s% A% B* }1 B4 w
m1 k. v6 G/ l9 oecho 'Saving your image to: '. $destination;
( {& ]9 y0 B+ P. ~) O; J/ \// print_r( $_POST );
+ E. y$ P$ C! t6 X- ^% ~6 H" F// print_r( $_SERVER );
2 u* x) _9 e6 i6 D% s7 g// echo $HTTP_RAW_POST_DATA;
0 a: o4 X, L _3 n/ K ?7 `
; y, m) W; E: u+ q: t7 j) |//: k" B9 [ F6 G
// POST data is usually string data, but we are passing a RAW .png
. C' t4 f+ W% v7 m, z+ l// so PHP is a bit confused and $_POST is empty. But it has saved
6 N1 t. W* t( B$ j+ s* f* p8 j// the raw bits into $HTTP_RAW_POST_DATA
$ x3 F# N% R& S0 N7 {//" y( u1 h# v) {6 p0 y9 {
' J6 O* B6 y$ h/ I9 M( w" `+ c# C
$jfh = fopen($destination, 'w') or die("can't open file"); e4 x9 ]) E* x$ l1 k* W
fwrite($jfh, $HTTP_RAW_POST_DATA);3 g ]- Z5 _/ B2 i* s2 q6 o/ j
fclose($jfh);5 h: [0 D, w: f5 h6 U# l/ N- ]8 \
& i: T# l- q/ a' C# @3 t% a
//
. y/ x( d# w5 A! |7 J2 k$ U4 }4 K7 |) j// LOOK:# R& g/ ?8 d) x$ ?' o8 S( q9 f- F
//
% z. ~$ g: S9 jexit();2 z' j5 D) H7 K0 W
//+ q0 m' [0 c5 R
// PHP5:; U$ ]# C$ L7 v) C
//
& f; Z) ~; s6 E+ @) H: A! K4 ?" x0 F e! t8 ]
- J9 T5 D" x/ V, H) T' N7 `// default path for the image to be stored //- V; y! Y u u
$default_path = 'tmp-upload-images/';
8 N: _2 ?% b4 H8 W3 d, K
$ B! g. V2 n0 A# qif (!file_exists($default_path)) mkdir($default_path, 0777, true);
+ Q% G+ \0 n+ [# [9 @( Q% S% q; C" @/ ?" u5 D, ^2 l
// full path to the saved image including filename //
6 h$ y0 j# b$ p# L$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
; k1 a- U0 s: w6 k) c) D1 J2 L9 g5 ]: N
// move the image into the specified directory //
7 O% X7 e0 t5 B" o; |* {- wif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
& q2 I9 M, D5 N" S echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";7 A# l4 E! K. E: M6 x) J
} else {1 O+ p+ t0 _) Y' ~1 {! O
echo "FILE UPLOAD FAILED";+ b4 u0 U- K& c4 _0 J6 e
}
3 x0 v& N& f @. Z+ [) F' r# n8 W5 M7 x# n
6 A: c0 X3 [; x0 N/ W
?>) W" ^0 L8 M U
0 |# d9 C* h7 @* E( a A( p' P
& o% H* r- S* }* H0 Y: d
3 H$ ]& Q% \; F- K B
, `! x& i8 q# r* P, F" A2 {) R
* k. ~- k6 n. n% n4 d. X1 H# ]: T! P4 J& T* \
修复方案:
t, w6 i5 x1 t( n* _1 q这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
+ x9 i7 x1 J& ^7 L3 ~, c
% S4 ?' `$ \5 m- x$ s9 `7 U# w( W. g# O6 g; |
, v' V# c% p5 {) e7 J6 G5 l/ f/ O6 z: L
2 a. L' W+ I* l |
发表于 2013-2-23 12:38:58
收藏
支持
反对