Some pictures are uploaded for verification. the high score helps the younger brother find the vulnerability.

There is a picture Upload verification, high score help me find a vulnerability in a small website http://hitaow.sinaapp.com I have a piece of code, below is a piece of PHP picture Upload verification code, a hacker said there is a vulnerability, help me find the vulnerability. Find the score. & Lt ;? Phpif (is_uploaded_file ($ _ FILES ['upfile'] ['tmp has an image Upload verification section. the high score helps me find the vulnerability.
One of my small website http://hitaow.sinaapp.com has a piece of code, below is a piece of PHP picture Upload verification code, a hacker said there is a vulnerability, help me find the vulnerability. Find the score.


If (is_uploaded_file ($ _ FILES ['upfile'] ['tmp _ name']) {

$ Upfile = $ _ FILES ["upfile"];

$ Name = $ upfile ["name"];
$ Type = $ upfile ["type"];
$ Size = $ upfile ["size"];
$ Tmp_name = $ upfile ["tmp_name"];
$ Error = $ upfile ["error"];

Switch ($ type ){
Case 'image/jpg ': $ OK = 1;
Break;
Case 'image/jpeg ': $ OK = 1;
Break;
Case 'image/pjpeg ': $ OK = 1;
Break;
Case 'image/GIF': $ OK = 1;
Break;
Case 'image/png ': $ OK = 1;
Break;
Case 'image/x-png ': $ OK = 1;
Break;
}
}
?>

If ($ OK & $ error = '0 '){
Move_uploaded_file ($ tmp_name, '../img/index/'. $ name );
Echo "image uploaded successfully
";
}

If (is_uploaded_file ($ _ FILES ['upfile'] ['tmp _ name']) & $ OK! = 1 ){
Echo "image Upload failed. the uploaded image should be in jpg jpeg gif png format!
";
}

I also think there is a vulnerability in this code. How can I bypass this verification. Help me find it.

------ Solution --------------------
Please refer to the following section for more information:

Author: Lao Wang

The worst way is to use $ _ FILES [...] ['type'] to detect the type of the uploaded file, because it can be forged simply by modifying the file extension.

Another method of relative security is to determine the type of the uploaded file by using the content of the first two bytes. The example code is as follows:

01 $ handle = fopen ($ _ FILES [...] ['tmp _ name'], 'RB ');
02 $ content = fread ($ handle, 2 );
03 fclose ($ handle );
04
05 $ info = unpack ('c2chars', $ content );
06
07 if (empty ($ info ['chars1']) | empty ($ info ['chars2']) {
08 exit ('error! ');
09}
10
11 if ($ info ['chars1'] <0 ){
12 $ info ['chars1'] + = 256;
13}
14 if ($ info ['chars2'] <0 ){
15 $ info ['chars2 '] + = 256;
16}
17
18 $ code = $ info ['chars1']. $ info ['chars2'];

The pack & unpack functions in PHP are dazzling. if you are interested, see Handling binary data in PHP with pack () and unpack ()

Note: most of the relevant online search programs do not perform 256 of the relevant operations. this is the TDD result I committed myself through the test data. it is not sure whether it is correct. the readers will consider it for themselves.

You can determine the $ code variable through the switch to correspond to the file type. the common image type results are roughly as follows:

GIF: 7173
. JPG: 255216
. PNG: 13780

Of course, you can also determine other file types, and you will know the value size by doing experiments on your own. However, this method is not necessarily safe, because the content of the first two bytes can also be forged, so it is best to restrict the file extension to prevent accidental parsing, for example, you create a project named foobar. the content of the php file is as follows:

GIF89


When you use the first two bytes to detect the file type, you will get the GIF: 7173 result. even if you use the file command in shell to detect the file type, you will mistakenly think of the GIF image:

# File foobar. php
Foobar. php: GIF image data 16188x26736

Because the extension is. php, the file will be parsed by the php engine. as a result, the hacker will be given a web shell, and security will not be discussed. So it is very important to limit the file extension. remember! As for how to discover this kind of disguise, the simplest method is to use shell commands to filter it again:

# Strings foobar. php | grep-I"

If you want to completely eliminate such risks, you can use tools such as gd, imagemagick, and graphicsmagick to edit the images you have uploaded before saving them. this will erase possible embedded code. If you want to be more secure, you should also separate the image server and parse static files without installing php.

Supplement: If you only judge an image, there is a simpler method, namely getimagesize. Although this method is used to obtain the image size from the name, the result contains the image type, in addition, although this method is summarized in the GD section in the document, it is available even if GD is not installed. However, you should pay attention to security issues as before.
------ Solution --------------------
You only determine the file suffix. for example, if I upload an image 1.jpg, I will change the suffix to 1.php20.1.jpg. will your program be released? The suffixes with qualified features can be parsed as php in iis6.0. if your file is not automatically renamed when it is saved, the vulnerability will occur.
------ Solution --------------------
You can disguise executable php files as image files, which can be bypassed.