I learned these things in dvwa (Damn Vulnerable Web App). I installed dvwa in my free space. If you are interested, please check it out. DVWA
If you want a user name and password, you can contact me: sq371426@163.com
Dvwa is provided by google for verification. For details, see google CAPCTHE
The file upload vulnerability is an imperfect judgment on the types of files uploaded by users. As a result, attackers can upload illegal types of files and attack websites.
The following describes how to upload images.
<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename( $_FILES['uploaded']['name']); if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } ?>
This Program uploads files without any judgment on the image type and size, which is prone to file attacks.
The following program verifies the file size and type.
<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename($_FILES['uploaded']['name']); $uploaded_name = $_FILES['uploaded']['name']; $uploaded_type = $_FILES['uploaded']['type']; $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } else{ echo '<pre>Your image was not uploaded.</pre>'; } } ?>
Many people use $ uploaded_type = "image/jpeg" to verify the image type, but this is still insecure.
<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename($_FILES['uploaded']['name']); $uploaded_name = $_FILES['uploaded']['name']; $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } else{ echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } } ?>
You can write $ uploaded_ext = "jpg" | $ uploaded_ext = "JPG" | $ uploaded_ext = "jpeg" | $ uploaded_ext =" JPEG "), well, it's not difficult, right? In fact, some things are that simple, but we don't know.