POST 数据漏洞文件执行任意后缀文件保存
' z! _+ Y4 u, f$ F. v& R6 c 漏洞文件/chart/php-ofc-library/ofc_upload_image.php. W! J+ C8 \6 [ x Y; M) u) P
$ e( r0 D& Y! j# h1 C+ m3 h1 o
利用: `8 A0 t" u! n k
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名5 l: c7 a' N4 d, Y
# T/ E$ g( G# h5 w+ z! i0 JPost任意数据
t* S4 t8 B# ?6 S3 y: D保存位置http://localhost/chart/tmp-upload-images/hfy.php
7 D/ h6 f( g, o, [2 q2 c. h& W& Z
4 b/ J% W, i5 p# G- Z! D, U# Z0 H. L! N5 R! }1 o8 ?# i
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~: u H9 Y. r: G- ]
3 Y7 A- y6 ]3 b4 b) x<?php# Y% {) H: f6 E% B i
8 Q/ U3 G1 P; P8 B, R8 _+ j
//& X% n- j5 N; o, B+ ^; e, G; r& A
// In Open Flash Chart -> save_image debug mode, you( S' S3 x5 V4 G& i) v0 [6 p. N3 s
// will see the 'echo' text in a new window.
) d% _; H" A9 u//9 y- f$ Z! x" W7 _
+ U9 I4 c' f* e$ y( k( k/*
0 `1 u( x: T u
: e- R9 u) b" E& a. p/ a: Cprint_r( $_GET );
/ [ m. Z6 _1 bprint_r( $_POST );" {* V7 H$ b, V- h
print_r( $_FILES );
; t% K: T; Y1 X- o
* y4 G4 B- G9 Uprint_r( $GLOBALS );# [1 j! B! K( c# z+ z5 |
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );6 v; d1 w* r! R! \
7 I. D$ k& A4 c2 w/ p! y6 ]*/
+ e$ f5 N! ?! L5 i// default path for the image to be stored //
: B+ ]& c4 w/ Y0 P5 g$default_path = '../tmp-upload-images/';
' m9 s# ?& P& B6 y0 B6 I q7 t5 o: b8 L
if (!file_exists($default_path)) mkdir($default_path, 0777, true);3 ]1 M: K) M }" ~5 }
! H6 N( Z- x% x9 _. E- n
// full path to the saved image including filename //
& l p2 `8 M! H, Q5 E3 x m$destination = $default_path . basename( $_GET[ 'name' ] );
% B2 m8 |9 M5 A# _. W7 ]. ^' _( R2 E3 \( j4 }1 A. Y
echo 'Saving your image to: '. $destination;
' J* R4 C0 ^. Z# ~ u: l" m// print_r( $_POST );: Z( z7 w! A* F# N
// print_r( $_SERVER );
2 n4 @1 W" n% w( }/ C// echo $HTTP_RAW_POST_DATA;
; }9 U' D" ^" J; l6 e0 Z- b w2 k1 E! D& B5 O
//. p! w7 V7 D( |: d" P# c
// POST data is usually string data, but we are passing a RAW .png
3 A9 T9 p! Y. g0 L// so PHP is a bit confused and $_POST is empty. But it has saved
1 p0 ], M( {# t8 J5 f5 R7 u// the raw bits into $HTTP_RAW_POST_DATA
$ w5 |& [" j7 N5 k5 H" i& {& I//0 C9 V- Y$ I @1 w# `
! e8 }, S \4 J: x$ ]$jfh = fopen($destination, 'w') or die("can't open file");& p& m+ S; q5 ^! Y2 y9 H; ~
fwrite($jfh, $HTTP_RAW_POST_DATA);9 b: r! p, N' w; z9 E
fclose($jfh);
6 c- W# E# J8 C1 {$ o! O* H+ z" X" g; \$ b$ F$ I
//
: y$ ~+ g. b: {4 y// LOOK:' `% O8 W- n, n7 L( l! L) J+ q
//
$ n6 I4 P" z9 O3 M$ S+ Texit();
+ n& V6 B( ]. N5 {: D: u//8 u' j& f! g& |( V! [1 @9 @
// PHP5:
) N' ?: T# v5 }9 \+ B3 y( j5 \9 C9 W//" W( N9 ^# p' n O0 G6 ~
8 F5 B( s, b1 a5 |
# L8 _. Z3 W# C* S: o" Q// default path for the image to be stored //8 f3 T* Q# d7 v1 ? I
$default_path = 'tmp-upload-images/';
, r2 T* e7 p1 W+ v2 p& {* M5 M" u+ }7 g, X
if (!file_exists($default_path)) mkdir($default_path, 0777, true);7 r8 C3 W3 \$ I1 A. g8 r
; h. B' f' G# J: t! a" i
// full path to the saved image including filename //) H4 e6 n+ G6 z& w) M7 _+ W
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ! _5 E$ N1 h9 e) M0 H5 j
& h7 ^" u( l; U" j
// move the image into the specified directory //5 F3 w0 ^$ W- Y, C& h
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {+ n. Z( b2 D' v
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";& z1 S3 r: ^1 j- Z. I. q1 r- c+ [
} else {# Q$ K) S) V% G$ E1 Y7 Q
echo "FILE UPLOAD FAILED";4 i- h7 t' q. p$ O( ^9 ^ N0 r
}
( l7 Y) G' c! u$ c, H4 k5 w3 V: g& F8 @0 o1 ?# L) o. B4 }
; B9 i, s8 x/ d$ D* K
?>+ R" J: c/ f& g# i) `
c* e5 w$ `, g6 T8 B7 C6 t/ ]; L4 p* p& |
& h: P: l. p; v' O. ]. x- @& g* ?( \$ k# c/ H
3 N4 i' K+ V$ E- v: z* ?8 ^
; D# j3 u0 } ]; _1 |+ f- ?: n
" k2 L; ~! y, W* Y; n修复方案:
5 O1 j2 c: `- J8 W这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
0 d: j) O7 t3 y: x% v1 \- N6 H1 X1 Z& y, i" s2 X( e
5 l9 d3 L# u, x
9 I& @3 k @, b9 I, ^# }+ N
7 N/ Z$ i$ S3 U9 A |
发表于 2013-2-23 12:38:58
收藏
支持
反对