Security of Web Development security file upload

For a long time like I this dish chicken to make a website the first time reaction is to find upload, find Upload. Take this opportunity to summarize the security issues of file Uploads.

First look at the complete code for the impossible level given by dvwa:

<?php if (isset ($_post[' Upload ')) {//Check anti-csrf token checktoken ($_request[' user_token '), $_ses     sion[' session_token '], ' index.php ');     File information $uploaded _name = $_files[' uploaded ' [' name '];     $uploaded _ext = substr ($uploaded _name, strrpos ($uploaded _name, '. ') + 1);     $uploaded _size = $_files[' uploaded ' [' size '];     $uploaded _type = $_files[' uploaded ' [' type '];     $uploaded _tmp = $_files[' uploaded ' [' tmp_name '];     Where is we going to is writing to? $target _path = Dvwa_web_page_to_root.     ' hackable/uploads/'; $target _file = basename ($uploaded _name, '. '. $uploaded _ext).     ‘-‘; $target _file = MD5 (uniqid (). $uploaded _name). ‘.‘ .     $uploaded _ext; $temp _file = ((ini_get (' upload_tmp_dir ') = = ")?     (sys_get_temp_dir ()): (ini_get (' upload_tmp_dir ')); $temp _file. = Directory_separator. MD5 (uniqid (). $uploaded _name). ‘.‘ .     $uploaded _ext;  Is it an image?   If (strtolower ($uploaded _ext) = = ' jpg ' | | strtolower ($uploaded _ext) = = ' jpeg ' | | strtolower ($uploaded _ext) = = ' PNG ') && ($uploaded _size < 100000) && ($uploaded _type = = ' Image/jpeg ' | | $uploaded _ Type = = ' Image/png ') && getimagesize ($uploaded _tmp)) {//Strip any metadata, by re-encoding I Mage (Note, using Php-imagick is recommended over php-gd) if ($uploaded _type = = ' Image/jpeg ') {$img             = Imagecreatefromjpeg ($uploaded _tmp);         Imagejpeg ($img, $temp _file, 100);             } else {$img = Imagecreatefrompng ($uploaded _tmp);         Imagepng ($img, $temp _file, 9);         } Imagedestroy ($img);         Can we move the file to the Web root from the temp folder? If (rename ($temp _file, (getcwd (). Directory_separator. $target _path.             $target _file))) {//yes! echo "<pre><a href= ' ${target_path}${target_file} ' >${target_file}</a> succesfully uploaded!</pre> ';         } else {//No echo ' <pre>your image ' is not uploaded.</pre> ';     }//Delete any temp files if (file_exists ($temp _file)) unlink ($temp _file); } else {//Invalid file echo ' <pre>your image is not uploaded.     We can only accept JPEG or PNG images.</pre> ';  }}//Generate ANTI-CSRF Token Generatesessiontoken ();?>

Let's analyze the process of file security uploads:

2. Fetch the last extension of the File.

   $uploaded _ext  = substr ($uploaded _name, strrpos ($uploaded _name, '. ') + 1);

4. Do a random number rename operation on the filename of the uploaded file, Dvwa the Md5,rand () function is also available.

   $target _file   =  MD5 (uniqid (). $uploaded _name). ‘.‘ . $uploaded _ext;

6. Take a whitelist to verify the file suffix name, mime-type type, and file Size.

       If (strtolower ($uploaded _ext) = = ' jpg ' | | strtolower ($uploaded _ext) = = ' jpeg ' | | strtolower ($uploaded _ext) = = ' png ') &&         ($uploaded _size < 100000) &&         

8. It's important to check whether it's a real picture.

   getimagesize ($uploaded _tmp) \ \ If it is not a picture, a flase message is Returned.

10. The GD library or Image-magick renders two times and washes out malicious code in the Image.

12. Echoes back to the front page with relative paths.

    If (rename ($temp _file, (getcwd (). Directory_separator. $target _path. $target _file)))

• The ones that the programmers used to walk with me in those years. (application development common mistakes, compared to the development process Above)

1. JavaScript front-end validation file type

do not blow not black, in addition to some of the enterprises have done their own station, or some temporary pages. The internet industry is not so Written. In short, It is the file type that validates the file type through JavaScript code. Correct pass, error jump an alert pop-up window. As for how to bypass more, F12, burp Dafa good. Pupils are wrong, not much to Repeat.

2. upload file blacklist, do not verify Mime-type type.

Ensure secure file uploads be sure to whitelist and verify the Mime-type type. Ordinary blacklist bypass but more to repeat, we all better understand. The deep impression is that a third-party development software, through the blacklist to verify the upload file type, not the Whitelist. Results jspx This file is not included in the blacklist, in addition to Tomcat6.0 default profile can normally parse jspx, the direct server permissions are taken off, the rest of the said more is Tears.

3. do not verify whether it is a real picture file.

Simply verifying the suffix name and the Mime-type type is not a real file to Judge. This time in PHP mainly through the getimagesize () to distinguish the Picture. The first thing to say is the file Magic Number:

Open Winhex We can see that binary streams of different image formats are Consistent.

For example, a GIF file is gif89a and A. gif file is created, edited by notepad++ as Follows:

gif89a (... some binary data ...) <?php phpinfo ();?> (... Skipping the rest of binary data ...)

We use Winhex to open relevant documents can be seen:

We then use the getimagesize () function to get and echo the associated variable Values.

If not used, the file magic number Header:

Repeat the above experiment and return False. This means that after verifying the suffix whitelist, mime-type, and the image magic number, we can ensure that the uploaded file must be a picture. however, there is something in the legend that cannot be Defended. Picture Horse + parsing vulnerability, or picture horse + contains Vulnerability.

4. picture two times rendering

　　　Through the Imagecreatefromjpeg () function of the GD library, we can wash out a word trojan in the file, or malicious code. Ensure that the file binary stream does not contain malicious code. This has a very good defensive effect on parsing vulnerabilities or including vulnerabilities.

5. do not limit upload overwrite. htacess file

　　　If you do not limit upload Overwrite. htaccess files, All of our efforts above may be in Vain.

• Summarize:

　　　This article only from the code design level to consider the file upload security, does not involve the related operation and maintenance security Issues. For example, the parsing vulnerability of Nginx and Apache should also be considered in Defense. and the 00 truncation problem generated by php. This is not an unknown. If there is any mistake in the article, please correct Me.

　　　

　

　　　　

Security of Web Development security file upload