Common web attacks 6-File Upload Vulnerability

I learned these things in dvwa (Damn Vulnerable Web App). I installed dvwa in my free space. If you are interested, please check it out. DVWA

If you want a user name and password, you can contact me: sq371426@163.com

Dvwa is provided by google for verification. For details, see google CAPCTHE

The file upload vulnerability is an imperfect judgment on the types of files uploaded by users. As a result, attackers can upload illegal types of files and attack websites.

The following describes how to upload images.

 <?php     if (isset($_POST['Upload'])) {              $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";             $target_path = $target_path . basename( $_FILES['uploaded']['name']);              if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {                  echo '<pre>';                 echo 'Your image was not uploaded.';                 echo '</pre>';                } else {                  echo '<pre>';                 echo $target_path . ' succesfully uploaded!';                 echo '</pre>';              }          } ?> 

This Program uploads files without any judgment on the image type and size, which is prone to file attacks.

The following program verifies the file size and type.

 <?php     if (isset($_POST['Upload'])) {              $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";             $target_path = $target_path . basename($_FILES['uploaded']['name']);             $uploaded_name = $_FILES['uploaded']['name'];             $uploaded_type = $_FILES['uploaded']['type'];             $uploaded_size = $_FILES['uploaded']['size'];              if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){                   if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {                      echo '<pre>';                     echo 'Your image was not uploaded.';                     echo '</pre>';                    } else {                      echo '<pre>';                     echo $target_path . ' succesfully uploaded!';                     echo '</pre>';                      }             }             else{                 echo '<pre>Your image was not uploaded.</pre>';             }         } ?>

 

Many people use $ uploaded_type = "image/jpeg" to verify the image type, but this is still insecure.

<?php if (isset($_POST['Upload'])) {              $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";             $target_path = $target_path . basename($_FILES['uploaded']['name']);             $uploaded_name = $_FILES['uploaded']['name'];             $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);             $uploaded_size = $_FILES['uploaded']['size'];              if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){                   if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {                      echo '<pre>';                     echo 'Your image was not uploaded.';                     echo '</pre>';                    } else {                      echo '<pre>';                     echo $target_path . ' succesfully uploaded!';                     echo '</pre>';                      }             }              else{                  echo '<pre>';                 echo 'Your image was not uploaded.';                 echo '</pre>';             }         }  ?>

You can write $ uploaded_ext = "jpg" | $ uploaded_ext = "JPG" | $ uploaded_ext = "jpeg" | $ uploaded_ext =" JPEG "), well, it's not difficult, right? In fact, some things are that simple, but we don't know.