POST 数据漏洞文件执行任意后缀文件保存
. ?: H1 g- F% n8 a' `) I 漏洞文件/chart/php-ofc-library/ofc_upload_image.php: y+ l4 w$ X$ h$ v9 `& C
' N: p: C Y; M, k( m
利用:
# k6 S5 @; X" |, P& U, {6 l/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名2 b2 u2 @2 f7 v+ C0 h
Q9 C& F' Z% ^' p# g" u) wPost任意数据
0 e- L! t6 Y t) P7 Y, f+ W保存位置http://localhost/chart/tmp-upload-images/hfy.php( I4 k9 p9 h2 b# n8 y/ e
`, t9 F/ S5 a9 E, H. T* ~3 G0 o# }" e
5 Y. `" Q3 T" z5 d( H, j) {: G; \最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~9 b% c3 I, S6 K d1 D' r
6 O$ C& C3 I& O( @
<?php$ L1 Q r( L. E+ ^! e5 b; F
- O8 k1 ?+ A: f) L: g/ f$ }" s
//: G! C8 |2 T0 D8 Z, b
// In Open Flash Chart -> save_image debug mode, you% T8 `- h7 Q; R/ `* n$ D* b" z
// will see the 'echo' text in a new window.
. C. o6 Q! N) Q5 J6 K//
B. H6 J8 J/ a! {( |6 x: Q: q8 a& s# r0 }
/*. m8 Z4 R ?) M) E* i
& [ H2 k2 M9 t3 [: yprint_r( $_GET );
" y. V5 z+ ^2 l# J! d( x9 zprint_r( $_POST );
, ~- p: Y E( u6 G% b7 iprint_r( $_FILES );- J e6 j0 i/ H! q3 R& Y
9 l6 q3 |9 i, z: m f
print_r( $GLOBALS );
6 ], b: Y m( Z; Bprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
# w5 \; X& P7 U
7 ?3 H2 d8 ]9 \*/
$ v1 ~ g* G: i" I" U0 c1 y* d// default path for the image to be stored //3 H# L3 N; S6 A( }* T
$default_path = '../tmp-upload-images/';6 ?/ s, q1 J: [1 T5 y
- ]1 h. C+ J+ y% Lif (!file_exists($default_path)) mkdir($default_path, 0777, true);
( \1 s5 R+ U" M& E+ j' T: ^& e. j7 b$ j. o: I
// full path to the saved image including filename //
6 g6 C6 l+ d' D$destination = $default_path . basename( $_GET[ 'name' ] ); ! @; D: p! c- x) _7 y% N, E4 E
" j* ~6 j. [; X8 s5 l5 }) ?, ?echo 'Saving your image to: '. $destination;
4 H. E- _: ]# |$ I3 D// print_r( $_POST );& W- G/ y0 w3 E, b
// print_r( $_SERVER );* x0 s, v0 m0 I9 M' L8 I
// echo $HTTP_RAW_POST_DATA;9 Z' S0 w" V7 }- p
' W. L! X% r' e& `" }
//
( Q( w' f% A; h3 K, x( a2 q// POST data is usually string data, but we are passing a RAW .png2 {; L' G* L" s
// so PHP is a bit confused and $_POST is empty. But it has saved8 Z) r1 ]* D+ t; Z) W Y
// the raw bits into $HTTP_RAW_POST_DATA _ Z. V5 _# S" m. C" y' t
//& y3 M% a9 J. N& B6 B* [
5 Z% Q" g1 ~6 m0 V: k, h7 ^7 y
$jfh = fopen($destination, 'w') or die("can't open file");# H$ t+ ]9 a) y' n8 Q. o
fwrite($jfh, $HTTP_RAW_POST_DATA);$ M; T7 p5 w4 W# q" I" ], Y% ?
fclose($jfh);
& T4 O1 g- G; |8 D( ~* g5 \
# W0 h% u+ [* }. d, Z" Y//
+ R. b; m% A/ g% A$ t// LOOK:: D! Z7 g# Q0 e4 o0 f
//9 r; d! O7 U6 A% q* B$ Q! V. I3 b
exit();6 q0 ~4 i5 i- d; y5 h3 c
//4 Y) Q1 F( K% L- W8 O7 v' J) e
// PHP5:. X# e* k0 }* u/ z2 ?: i' e, v' T( k
//
, |3 e m1 i1 i. M) B( W; e1 ^6 j& u* {, Q P4 D
3 A5 a$ D. w/ O! Z& p
// default path for the image to be stored //
; }, R' h3 W& t; O* x% E, V$default_path = 'tmp-upload-images/';( `1 m/ \) u8 P" d* V0 b- c
6 X0 Q, o. H w3 N
if (!file_exists($default_path)) mkdir($default_path, 0777, true);, p9 M- O p( }3 k3 N
' ?0 T q6 c: K8 j& I' ]" o// full path to the saved image including filename //, X0 \$ ~# Z- Z8 v
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
9 I+ X) ?! E, d6 V: k5 b; p6 q
+ X' t# e6 `$ A7 f: H+ ]- q// move the image into the specified directory //
9 \+ o G8 m( R0 V" L9 o# qif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {" y9 f8 L, x1 G3 c* K3 S
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
, Y4 f2 Q: Z/ ~* w u} else {
$ z; a/ f, a# K, ]; k. r8 I% S& I/ r echo "FILE UPLOAD FAILED";
/ E/ T a& V+ o1 |1 N1 l# g/ d}- ? P1 `5 e7 z# |0 k
% d4 Z/ M& V- t+ o/ @5 z2 S O
# R( n3 u- N0 v?>
7 A8 i% h/ o, | t
6 N; j6 r* X7 \% J& K# `
- W) x/ _ E! L9 P* }8 t! n
6 u J, l' d# h" U7 ^# s/ }+ T0 c1 {- |# J N
. U; v7 h" E* S6 Z7 C+ p4 e2 i. j: I8 \! g% {9 e1 x& N. L! n9 \ k
修复方案: & R% V0 F2 y9 U/ Q6 T
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
6 [, r* U; J7 S5 g4 I
@. D2 c8 y5 e7 N, {5 o( P2 U; I4 r9 S
6 D- s" I0 ?4 \5 [
( b3 h! Q7 y8 A" `1 |/ a
|
发表于 2013-2-23 12:38:58
收藏
支持
反对