POST 数据漏洞文件执行任意后缀文件保存( u0 D7 F. n5 C+ Z/ ~
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
; U, a) ?, l* K6 h: n) ~8 x+ n, z" @' `" q9 S$ a1 M
利用:1 m) D- R& m' W/ U9 ^7 Q/ R2 N
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
& A; Y% R+ `3 L# _4 @+ m* u' N* P/ q
Post任意数据
6 U" \0 R9 s# H# d! h保存位置http://localhost/chart/tmp-upload-images/hfy.php3 G! L% w) }: B6 a6 b
$ z0 o/ M$ b N9 V. {0 x7 U |- s! H3 \* j* x D2 K
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~* W7 w8 Q4 X5 [
3 t( o+ \/ f: l1 F3 Z- l9 \<?php2 e2 g8 E @+ @+ O4 O4 V0 d, P1 X. K
, F: ^" i: b) P$ u// Z. g: B) m, T" I; b
// In Open Flash Chart -> save_image debug mode, you
6 D2 R: {. E8 Y& w) j K// will see the 'echo' text in a new window.
& |. R; S7 U9 T) |6 L8 o* _2 W//
9 L8 s+ u) j) {2 a8 P" t5 v: n# E2 {
" X7 [$ h% T% g b* o8 w; _/*
4 p; E/ _- U# t8 r( T% ?! s Y; D6 \1 A+ Q3 W3 i
print_r( $_GET );
1 y- D6 H s- n0 J: yprint_r( $_POST );
8 g: n1 o/ }1 V/ ^6 Fprint_r( $_FILES );" @9 T( a/ w3 H/ I& C& A
' N& I8 U$ b5 A" p. fprint_r( $GLOBALS );
( H# C p- n5 O. l, z( L3 cprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );9 Z' W8 x6 W3 o8 n5 W0 h1 ^
3 z& L$ b4 D, ?/ K' y' w3 ]
*/
5 s. g$ T3 k7 }4 r# O, a2 u5 w3 ?// default path for the image to be stored //. @3 w; ^0 J( Z) Q
$default_path = '../tmp-upload-images/';( e: G6 G- U c, ?+ N
, Q; n9 ]1 t9 ]% ?% d
if (!file_exists($default_path)) mkdir($default_path, 0777, true);# k! ?3 H% l) Q* A. J
0 n9 e3 W9 a; ^// full path to the saved image including filename //, s& m, P2 A$ M7 C ? p2 ^! D+ r
$destination = $default_path . basename( $_GET[ 'name' ] ); 0 k# I/ @/ z: A8 S: u. o
% }& r, H" Y/ ~7 C4 ~echo 'Saving your image to: '. $destination; |$ K6 ~4 `5 S# M6 o& |. D! N
// print_r( $_POST );' {& I4 M5 Q+ C+ h! Q( u
// print_r( $_SERVER );
5 V2 m$ \" ~6 {9 t$ O// echo $HTTP_RAW_POST_DATA;
2 J. H) Q3 q2 n8 R
5 R! G2 b( _% w: X6 L! {- o5 ]//
+ [. n, Q' b# ^* f- \// POST data is usually string data, but we are passing a RAW .png4 F9 x' T! N a! u6 n
// so PHP is a bit confused and $_POST is empty. But it has saved
1 k: {7 E7 T: H4 Q// the raw bits into $HTTP_RAW_POST_DATA
& ? j e8 ^8 m- u7 E//8 d0 r1 p9 L5 r
3 V$ R# z8 w) l# p& Q0 O, }
$jfh = fopen($destination, 'w') or die("can't open file");
& O' f, } X2 p, k0 q+ cfwrite($jfh, $HTTP_RAW_POST_DATA);
2 f" `6 H: f0 gfclose($jfh);# i! v/ s' }5 V3 }
# r% ^" t4 I7 X
//
* P0 R' r! S! J" |$ y! f" t* @// LOOK:% ~! U: u F/ ?) F4 W
//
; X% z7 T. s' a, g/ B% S& i/ ]1 [exit();9 m1 e6 P& @' C
//
8 F7 G( }( b5 ^! _: o! w// PHP5:! q7 p" `* I- R
//) f( a( v& x2 Y- z3 w `
: @/ v4 w6 J# }0 g0 N2 i
3 B' E( Y- v/ `; g N" f// default path for the image to be stored //, u- [( V" h0 _5 D) o2 t
$default_path = 'tmp-upload-images/';
# o: G4 q3 p3 p" Q
1 E5 y$ @9 y6 }, r+ s% Q8 Yif (!file_exists($default_path)) mkdir($default_path, 0777, true); ]6 Z. Y* ?8 h* m7 ~
7 x+ m6 J- Y3 N3 `4 e// full path to the saved image including filename //% r: O7 y. Z# P) m
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
' n- y4 L0 ]2 A6 S/ q9 q. F) l/ x% F& {, @% p
// move the image into the specified directory //4 h' p9 Y0 p7 l4 w
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {3 T9 [! r3 i: b8 {! q9 I% U( s' y+ M7 C
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";: q3 d9 t2 M* Y" e
} else {9 r' P3 U; H& S3 U
echo "FILE UPLOAD FAILED";) [# c, ~( k9 k
}5 m/ g* x" K6 x7 o7 w$ ~7 X
3 O- s" [ [1 R8 A
" u# X$ m# F$ g% r$ o9 m) v _! s. m
?>
' b5 e+ y6 o- |/ t
: W1 r6 p. q- X4 n) c- A) v \& t0 ]2 j) d$ z
; n5 P6 }3 \% i6 I$ S7 C5 y
: W5 g3 u+ b9 y4 U" Y4 W& \7 p5 t
, q& x8 c& e, E; c# A1 B( ]/ s3 G1 q; N) h6 I9 X+ o) a
修复方案: 9 A) `/ S+ s$ U- i3 s; W; Q
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
9 n$ F; L4 Z2 g" Y( e5 o2 y+ p3 m! w
4 U/ L5 R) a& {: t" O2 k" y0 h% G/ \' I# j2 {6 x
$ |* Z, A5 `9 L4 S1 H! ~ j
! S4 e* a4 ^8 R9 X- j7 z |
发表于 2013-2-23 12:38:58
收藏
支持
反对