PHP Vulnerability Full Solution (ix)-File Upload Vulnerability

Reprint please specify source: Php Vulnerability Full solution (ix)-File Upload Vulnerability

A set of Web applications, generally provides the ability to upload files, so that visitors can upload some files.

Below is a simple file upload form

<form action= "upload.php" method= "post" enctype= "Multipart/form-data" Name= "Form1" >

<input type= "File" Name= "File1"/><br/>

<input type= "Submit" value= "Upload file"/>

<input type= "hidden" name= "max_file_size" value= "1024x768"/>

Form>

PHP configuration file php.ini, where option upload_max_filesize specifies the file size allowed to upload, default is 2M

$_files Array Variables

PHP uses variable $_files to upload a file, $_files is an array. If you upload Test.txt, the contents of the $_files array are:

$FILES
Array
{
[File] = Array
{
[Name] = test.txt//File name
[Type] = Text/plain//mime type
[Tmp_name] =/tmp/php5d.tmp//Temp file
[ERROR] = 0//error message
[Size] = 536//File size, per byte
}
}
If the Upload file button's Name property value is file

<input type= "File" name= "file"/>

Then use $_files[' file ' [' name '] to get the client upload file name, without the path. Use $_files[' file ' [' Tmp_name '] to obtain a temporary file path for the server to save the uploaded file

The folder where the uploaded files are stored

PHP does not directly place the upload file in the root directory of the site, but rather as a temporary file, the name is $_files[' file ' [' Tmp_name '] value, the developer must copy this temporary file into the folder of the site.

The value of $_files[' file ' [' Tmp_name '] is set by PHP and is not the same as the original name of the file, and the developer must use $_files[' file ' [' name '] to get the original name of the uploaded file.

Error message when uploading a file

The $_files[' file ' [' ERROR '] variable is used to save the error message when uploading the file, and its value is as follows:

Error message	Numerical	Description
Upload_err_ok	0	No errors
Upload_err_ini_size	1	The size of the uploaded file exceeds the php.ini setting
Upload_err_from_size	2	The size of the uploaded file exceeds the max_file_size value in the HTML form
Upload_err_partial	3	Upload only part of the file
Upload_err_no_file	4	No file Upload

File Upload Vulnerability

If you provide a site visitor the ability to upload pictures, you must be careful that the visitors upload the actual may not be a picture, but can specify the PHP program. If the directory where the picture is stored is an open folder, the intruder can execute the uploaded php file remotely for an attack.

Here is an example of a simple file upload:

Php
Set the directory where files are uploaded
$uploaddir = "d:/www/images/";
Check if file exists
if (Isset ($_files[' file1 '))
{
The full path to be placed in the site directory, including the file name
$uploadfile = $uploaddir. $_files[' file1 ' [' name '];
Move server-stored path to real file name
Move_uploaded_file ($_files[' file1 ' [' tmp_name '], $uploadfile);
}
?>
......
<form method= "POST" enctype= "Multipart/form-data" Name= "Form1" >
<input type= "File" Name= "File1"/><br/>
<input type= "Submit" value= "Upload file"/>
<input type= "hidden" name= "max_file_size" value= "1024x768"/>
Form>

This example does not verify the file suffix, can upload arbitrary files, it is obvious that the upload vulnerability

The above is the full solution of PHP Vulnerability (ix)-File Upload vulnerability content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

