Web storage vulnerabilities and principles analysis and prevention methods (file type detection vulnerabilities)

ArticleDirectory

•  

In the previous article, we learned that the most common vulnerability in wed is the file name Detection Vulnerability. Next, let's look at another vulnerability, the file type vulnerability, this is also a more prone to problems.

At that time, I thought that since I knew what kind of file I needed to allow, I would only allow you to store this file. As long as the file type is determined accuratelyCode. I can stop it all, right? This is indeed a good method, but the following problems often occur when we do it again.

Here we will look at the common PHP code. Here, two common problems are:

 

1. Read the file type and directly judge the file type.

2. Analyze the file format using tools to confirm the file type

 

• Problem 1: Read the file type to determine the file type

If (isset ($ _ FILES ['img ']) {$ file = save_file ($ _ FILES ['img']); if ($ file = false) exit ('failed to store! '); Echo "stored successfully! ", $ File;} function check_file ($ IMG) {// read the object if ($ IMG ['error']> 0) return false; $ type = $ IMG ['type']; $ filename = $ IMG ['name']; // read the file extension $ Len = strrpos ($ filename ,". "); if ($ Len = false) return false; // get the extension $ ext = strtolower (substr ($ filename, $ Len + 1 )); /// determine the file typeIf ($ type & preg_match ('% ^ image/. + $ %', $ type) return $ ext;Return false;} function save_file ($ IMG) {$ ext = check_file ($ IMG); If (! EXT) return false; // format check OK, prepare to move data$ Filename = Time (). $ ext;$ Newfile = "upload/". $ filename; If (! Move_uploaded_file ($ IMG ["tmp_name"], $ newfile) return false; return $ newfile ;}

The above blue code is the key, in which we directly read the type, that is, the file content. Through the first Knowledge: Web storage vulnerabilities and Analysis of principles and prevention methods, we know that type is automatically input from browser browsers. If it is a browser, this value is generally correct. However, if the package is from the user's own organization, he can set an image/JPEG value for the type, and then give the name an index. php value.

We can see the problem. In this way, the generated file $ filename is changed to time (). 'php. Create a PHP file.

• Use tools to analyze the file format to confirm the file type

We already know that the type value can be constructed at will, and this type of check user type method can be used. Malicious users can send a PHP file to upload an image. So some may say that I use PHP directly.ProgramAnalyze the format of the User-passed tmp_name file. This is always reliable! Let's look at the following code.

 function check_file ($ IMG) {// read the file if ($ IMG ['error']> 0) return false; $ typelist = array (Array ("ffd8ffe1", "jpg"), array ("89504e47", "PNG"), array ("47494638", "GIF "), array ("49347a00", "TIF"), array ("mongod", "BMP"); $ file = $ IMG ['tmp _ name']; $ filename = $ IMG ['name']; // read the file extension $ Len = strrpos ($ filename ,". "); if ($ Len = false) return false; // get the extension $ ext = strtolower (substr ($ filename, $ Len + 1 )); /// determine the file type // read the first 15 bytes of the file. Generally, you can determine the format of this byte value. $ file = @ fopen ($ file, "rb "); $ bin = fread ($ file, 15); foreach ($ typelist as $ v) {$ blen = strlen (pack ("H *", $ V [0]); // get the number of bytes marked by the file header $ TBIN = substr ($ bin, 0, intval ($ blen )); /// compare the file header length    If (strtolower ($ V [0]) = strtolower (array_shift (unpack (" H * ", $ TBIN ))))   {return $ ext ;}} return false ;}

This method directly analyzes the format of the file that you pass in and determines whether the file type can be saved! This set of methods seems to be very reliable and should be accurate. There should be no problem. If you do not read the type, you can analyze the format yourself. In fact, if you pass in a file, the first 4 bytes are: 89504e47, and then add a section later <? PHP code. The stored file name is image. php. In this way, we find that this code is saved as a PHP file. This file is only used. The first part may be in the image format, followed by a pure PHP program. You can use a browser to access this file and run it. A long time ago, someone had done an image Trojan. You can go to Baidu to search :"Hide the PHP trojan in the image", You can use the drawing software to view this file. If you use PHP to run this code, PHP can execute it.

 

Well, Let's sum up, it seems that the type is determined by type, and the type is checked by file format. And accurately determine the format of files stored on the user. In fact, we can think about the file format, which can be accurately determined by a simple bytecode. If we really want to detect the file type, what method should we use? If you want to check the format, for example, an image, you can use the php gd library to open the file and save it again. In this way, invalid code will be removed. However, let's think about how much performance will it take?

To sum up, it is not wise to determine the file content format. It is complex and prone to problems. To make an accurate judgment, it will consume a lot of server resources. Unless we have. Next, I will talk about the ideas about the security deposit method. Welcome to talk about it!

Author: chengmo QQ: 8292669
Http://blog.chacuo.net/141.html
Subscription keep-in: http://blog.chacuo.net/feed
This article is copyrighted by the author. You are welcome to reprint it. Please add the original article link.