POST 数据漏洞文件执行任意后缀文件保存: T) ?9 {1 B# x6 [( k/ n J
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
) q% Y- }; N9 u
1 D+ S' a3 V. [, r# G- ]利用:. x! K6 i- W8 b% M" N T
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名& Y& ~, T) F6 u# o
' t0 ~& m* T1 ]4 V, K$ ]
Post任意数据2 }/ G9 z' C* a6 i
保存位置http://localhost/chart/tmp-upload-images/hfy.php
; j" A; o9 q: x8 }# W8 { A1 U, A, o6 e
2 j' _# P$ D3 D! z
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~ {6 ?$ \1 N; T& G
6 V/ ~7 g2 Q ]. d<?php
" M0 {1 }# V! h. Y9 _0 X! |' Z8 ~# d0 S# D7 {7 W
//0 X' H( w- R9 B6 ^- ]
// In Open Flash Chart -> save_image debug mode, you
- X+ _9 G+ g9 r- k4 e+ n// will see the 'echo' text in a new window.
8 L" v9 n/ |& U) N9 A//1 ?3 j( U' k$ `0 i. j5 [$ @
) `. Z; S5 V; O0 H2 |: x$ `
/*
( n V$ z+ k# @$ n- r+ {
& w* `# L5 N6 p' e+ aprint_r( $_GET );
8 g9 C4 n P! \9 |. \3 R! P8 tprint_r( $_POST );2 b, d6 D; x% f* q8 y) ?
print_r( $_FILES );* a- Q4 r9 Z; K9 B/ L, h
' p/ [0 s* B( ^
print_r( $GLOBALS );
4 D7 F) S! S5 k( E5 p5 v+ ~8 yprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );) f0 j. ]- \1 S( l$ w+ t
/ h' E5 h! R4 \6 k( F* @*/ H" Z, J, x) m5 z/ i
// default path for the image to be stored //
# e3 D5 j# G5 {$default_path = '../tmp-upload-images/';/ i' E8 {+ ~4 s# B$ j& K2 M
# a+ K: v& [# F- f }, C
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
9 |0 q! Q6 E, Z; S! L. \+ ?7 Z- R& P: [3 w; ~
// full path to the saved image including filename //+ A; J" P. }6 Q- l8 L4 y8 O* I+ q5 L
$destination = $default_path . basename( $_GET[ 'name' ] );
! O) O2 \1 y( K8 z! {/ ^& v% Q6 ? d9 g2 Z
echo 'Saving your image to: '. $destination;
# e5 g) s$ y3 S$ b9 N// print_r( $_POST );
6 {4 K/ J9 m' l" y// print_r( $_SERVER );" h. X# @' G' J& B/ N# `) U( J7 A
// echo $HTTP_RAW_POST_DATA;
: [7 j9 j, j" k+ i2 B. e% Q g! l) w6 x9 x9 l% N0 c4 z3 y
//1 `& k! K0 i) ~
// POST data is usually string data, but we are passing a RAW .png) b% F, [. ?8 q
// so PHP is a bit confused and $_POST is empty. But it has saved, f/ N3 L: B8 I4 E
// the raw bits into $HTTP_RAW_POST_DATA
' v: w) S9 R' X9 x9 B2 x' H, o//7 i `# c/ i Z& Q' D. F- h6 @
- t9 {) C! T2 D: i! g6 I- C$ b
$jfh = fopen($destination, 'w') or die("can't open file");! R* x! B, ]2 X
fwrite($jfh, $HTTP_RAW_POST_DATA); S/ D" H( I' z) ~
fclose($jfh); x' @8 D* A0 v+ o# r! f# |
5 h) T+ h# \' _' p: |: ?
//
- c8 q' @& l0 [5 H# X/ e& s// LOOK:2 w& D8 e# w; ~0 U% |/ o* c
//8 p6 f9 I( P1 V
exit();; S4 a, ~- l; T0 o' X2 ^
//* S" q) G* T0 u6 Q3 f4 X
// PHP5:2 A( J% A6 x( b
//
0 |) E2 d3 B" c. T. Q1 ]6 y
# B# E8 k; h/ E% S4 E9 j# j6 S6 @- Z" Z* K& H5 C
// default path for the image to be stored //
5 b! G! L3 C. S l- L8 V$ G$default_path = 'tmp-upload-images/';3 m L" s' c2 ]; j
T/ b* X' b" S& F2 a3 Z2 Gif (!file_exists($default_path)) mkdir($default_path, 0777, true);) \- @8 K( y& j
@# o- v- x! Q1 P// full path to the saved image including filename //
$ m, i% V* O* e c, i, [. v$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ( d) s" P, @4 D9 U2 C7 [, L% s( Z
! B! j9 w3 n# V! [. b( h/ n2 a// move the image into the specified directory //& ^/ e1 f0 m$ x
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {& Q \' ^" K8 @9 n8 h
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
! h; n0 O2 ?% R: H4 [& L# r" J* e} else {( d+ o9 E8 ?" E' G0 x0 e \
echo "FILE UPLOAD FAILED";' x: ]) K A8 s. a) y9 d
}
. g; Q; Y5 Y! j3 i, P- ]- b+ ~
) j9 w; e/ z9 w. A5 T/ s6 ?& Y9 c( D! O* K- ]$ x
?>
; H& v* v" e$ \2 k0 i9 w- `# Q$ E
( w0 r' k2 ]8 i m; @' _( Z" @! [9 y
}- ?: `* I( V6 b, O% z! i0 [( {2 O4 S0 Y
4 [" a7 [1 J J% I/ y$ z; v4 t/ I& I- l. R+ C
修复方案:
5 j$ z8 v/ f# B* \% ?& o这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
& c. w2 t1 ^6 w- E" ^- b) o' V2 H8 W$ G% r! g A
, I2 [8 g0 z& Q! _3 r+ P
' |. {8 u9 x$ r) a( S/ L/ ?0 p, z. t& b. s( j6 _; c$ q
|
发表于 2013-2-23 12:38:58
收藏
支持
反对