Upload vulnerability in Popular science [3]-mime validation

Yesterday, the site published a File upload vulnerability JS verification of the demo code, today we discuss MIME authentication. about MIME

MIME role: To make the client software, distinguish between different kinds of data, such as Web browser is the MIME type to determine whether the file is a GIF picture, or printable PostScript file. The Web server uses MIME to describe the kind of data sent, and the Web client uses MIME to describe the kind of data that it wants to receive.

For more detailed information, please visit here:

MIME Type-server-side validation upload file type directory validation instance code

<?php/** * Created by waiting alone * date:14-1-22 * Time: PM 8:35 * Name:upload2.php * waiting alone blog: http  

 ://www.waitalone.cn/*//File Upload Vulnerability Demo script MIME verification $uploaddir = ' uploads/'; if (Isset ($_post[' submit ')) {if (file_exists ($uploaddir)) {if ($_files[' upfile ' [' type '] = = ' image/ GIF ') | |  

            ($_files[' upfile ' [' type '] = = ' image/jpeg ') | | ($_files[' upfile ' [' type '] = = ' image/png ') | | ($_files[' upfile ' [' type '] = = ' image/bmp ')) {if (Move_uploaded_file ($_files[' upfile '] [' tmp_name '], $uploaddir. '/' . $_files[' upfile ' [' name ']) {echo ' file was uploaded successfully and saved in: '. $uploaddir. $_files[' upfile ' [' Name '].  

            "N"; }} else {echo ' file type is incorrect, please re-upload. ' .  

         "N"; }} else {exit ($uploaddir. ' folder does not exist, please create it manually.  

     ');  

 }//print_r ($_files); }?> <! 

  DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en"   "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >  


This code is strictly not a directory validation problem, just because of the problem of uploading code, the upload file save path is submitted by the client, so that we are good to bypass. MIME Authentication Bypass method:

about how to judge the server is MIME authentication, this we can upload several times to test, then how to bypass it. Directly change the content-type in the upload packet.


"Via@, wait alone."