Brief analysis of owasp file Upload vulnerability

0x01

File upload vulnerability results from the upload program does not correctly determine the upload file format, resulting in executable programs uploaded to the site directory.

There are two common authentication upload files: 1.js local authentication, through JS to get the upload file suffix, and compared with the white list, matching upload success. Because JS code is local authentication, there is a risk of bypassing (removing JS code, constructing form data, bypassing directly).

2. Back-end program verification, through the post data to the File_upload () function, $_files[' file ' [' type '] to determine the upload program suffix name.

function File_upload () {

$file _name = $_files[' file ' [' Name '];

$file _type = $_files[' file ' [' type '];

$file _tmp = $_files[' file ' [' Tmp_name ']; Temporary file storage location

Determine file suffix

Question 1. if ($file _type = = = ' Image/jpg ' | | $file _type = = = ' Image/jpeg ') {//jpg and JPEG types, see Wiki

Question 2. $file _new_type = '. jpg ';

}

Question 4. $file _name = substr (MD5 (Time ()), 0,10);

Move_uploaded_file ($file _tmp, $file _name. $file _type);

}

For PHP processing file streams, see W3chool PHP files

Question 1. $file _type get the file suffix name, when uploading jpg normally, $file _type = ' image/jpg ' file format, when uploading php file, $file _type = ' Application/octet-stream ' ( any binary stream). Here the Image/jpg,application/octet-stream belongs to MIME (multipurpose Internet Mail Extensions), when uploading the capture in the browser, there is a content-type: Image/jpg, worth It is the MIME type in the header (question 3).

By getting the value in $file_type, and the whitelist (image/jpg,image/jpeg), if the value is the same, the suffix name is jpg (regardless of question 3).

Issue 3 (MIME header spoofing). Since you get the file type and whitelist comparison in mime, upload the file by modifying the Content-type:image/jpg (Modify MIME type) in the packet.

Upload a.php,burpsuite truncation packet, modify Content-type:application/octet-stream = = Image/jpg, and then forward. At this time, $file _type= ' Image/jpg ', originally uploaded php files, get the file type of binary stream, now modified MIME after the image/jpg. If you use $file_type directly as the suffix of the file, it will cause the a.php file to be stored directly in the site directory, resulting in Getshell.

2. Getting the MIME type image/jpg does not mean that MIME spoofing cannot be resolved, with file renaming, $file _type = jpg, then $file_new_type = '. jpg '; by stitching the file name, even if the php file is uploaded, The last file stored in the Site directory is also the JPG files type.

0x02

File upload vulnerability stems from the filter is not strict, many people use Strpos ($str, '. ') This method intercepts the file suffix name, and then the xx.php appears;. Malformed file names such as JPG (question 4). The simplest way to protect is to rename the file name (all) directly, perhaps some people think that in question 2, write multiple judgment statement will be very troublesome, the code can be a little bit more secure, write a little bit less trouble.

SWICTH ($file _type) {

Case ' image/jpg ':

$file _new_type = '. jpg ';

Case ' Image/jpeg ':

$file _new_type = '. jpeg ';

....

Default

$file _new_type = false;

}

Here to get the file suffix name, rename the file, some people worry, contains a sentence code of the picture stored in the site, do not consider the upload of what file, when the program to determine the file is a whitelist suffix, directly using the whitelist suffix, so that even if the file contains a sentence, But the server will treat it as a picture, and will not execute the code in it (question 5)

File name renaming is generally used: upload/time/Time seed MD5. Suffix name

Specific code:

$file _save_directory = ' upload '. Date (' y-m-d ', Time ()); Named Storage folder name

if (!file_exists ($file _save_directory)) {

mkdir ($file _save_directory); If the Create folder does not exist

}

$file _new_name = substr (MD5 (Time ()), 0,10). $file _new_type; Rename file name

$result = Move_uploaded_file ($file _tmp, $file _save_directory. ' /'. $file _new_name);

if ($result) {echo "Upload success"}

0x03

PHP upload File Vulnerability has been many years old, Daniel issued a few days ago a cve-2006-7243 PHP null character processing problem (webshell.cc), due to PHP processing a.php\ X00.jpg, will be saved to a.php file, resulting in malformed file name php file can be uploaded successfully, interested can take the environment test.

File upload is accompanied by a filename parsing vulnerability. Iis/apache/nginx, processing errors on malformed file names, resulting in a.php;jpg/a.php. jpg (0x00 truncation) upload succeeded and resolved

Reference: Wooyun PHP Security Code

http://zone.wooyun.org/content/1910 PHP Upload defects

Brief analysis of owasp file Upload vulnerability