File Upload-do not filter +mime

Source: Internet
Author: User

To write the file Upload vulnerability code, you need to have some understanding of the $_files array: https://wenku.baidu.com/view/10496f95dd88d0d233d46aa6.html

① This is a simple file upload (write This is to be familiar with the statement, and then all write, I still want to let him play), pass a php suffix see can succeed, casually try, success,

Check to see if It's Successful.

②: This is the file type filter (when written, It is only allowed Image/jpeg)

The first attempt to upload the PHP suffix directly is not possible, after testing, found to be MIME verification, grab bag, change content-type, emmm, is the following

Code ①:

123<title>uploadfiletest</title>45<meta http-equiv= "content-type" content= "text/html"; charset= "utf-8" >6<body>7<form action= "" enctype= "multipart/form-data" method= "POST" name= "uploadfile" >8Upload file: <input type= "file" name= "upfile"/>9<input type= "submit" value= "upload" name= "submit" >Ten</form> one</body> a -<!--completely unfiltered, Any file upload-- -<?PHP the if(isset($_post[' Submit '])) {   -     Echo"file name:".$_files[' Upfile '] [' name ']. " <br/> ";  -     Echo"file size:".$_files[' Upfile '] [' size ']. " <br/> ";  -     Echo"file type:".$_files[' Upfile '] [' type ']. " <br/> ";  +     Echo"temporary path:".$_files[' Upfile '] [' tmp_name ']. " <br/> ";  -     Echo"system return value after upload:".$_files[' Upfile '] [' Error ']. <br/> ";  +     Echo"==================== Save Split Line ========================<br/>";  a     if($_files[' Upfile '] [' error '] = = 0) {   at         if(!Is_dir("./upload")) {   -             mkdir("./upload");  -         }   -         $dir= "./upload/".$_files[' Upfile '] [' name '];  -         Move_uploaded_file($_files[' Upfile '] [' Tmp_name '],$dir);  -         Echo"file Save path:".$dir." <br/> ";  in         Echo"upload successful ... <br/>";  -          to     }   + }   -?>

Code ②:

123<title>uploadfile</title>45<meta http-equiv= "content-type" content= "text/html"; charset= "utf-8" >6 7<body>8<form action= "" enctype= "multipart/form-data" method= "POST" name= "uploadfile" >9Upload file: <input type= "file" name= "upfile"/>Ten<input type= "submit" value= "upload" name= "submit" > one</form> a</body> - -  the<!--filter by File type- -<?PHP -     if(isset($_post[' Submit '])) {   -      +       /*echo "filename:". $_files[' upfile ' [' name ']. "  <br/> ";  - echo "file size:". $_files[' upfile ' [' size ']. "  <br/> ";  + echo "file type:". $_files[' upfile ' [' type ']. "  <br/> ";  a echo "temporary path:". $_files[' upfile ' [' tmp_name ']. "  <br/> ";  at echo "system return value after uploading:". $_files[' upfile ' [' error ']. "  <br/> ";  - Echo "===========================================<br/>"; */ -         $flag= 0;  -         Switch($_files[' Upfile '] [' type ']) {   -              case' Image/jpeg ': -                 $flag= 1;  in                  break;  -             default: to                  die("file Type Error ...");  +                  break;  -         }   the         if($_files[' Upfile '] [' error '] = = 0 &&$flag ) {   *             if(!Is_dir("./upload")) {//returns TRUE if the file name exists and is a directory.  $                 mkdir("./upload"); Panax Notoginseng             }   -         $dir= "./upload/".$_files[' Upfile '] [' name '];  the         Move_uploaded_file($_files[' Upfile '] [' Tmp_name '],$dir);  +         Echo"file Save path:".$dir." <br/> ";  a             Echo"upload successful ... <br/>";  the         }   +     }   -?>

Experience:

1. The enctype= "multipart/form-data" in the form means that the MIME encoding of the form is Set. By default, This encoding format is application/x-www-form-urlencoded, cannot be used for file upload, only use the Multipart/form-data to complete the transfer of file data, do the following

The use of the  2.$_files array:

$_files[' upfile ' [' name '] the original name of the client file        

$_files[' upfile ' [' type '] file MIME type, which requires the browser to provide support for this information, such as "image/gif"        

$_files[' upfile ' [' size '] The size of the uploaded file, in bytes        

$_files[' upfile ' [' tmp_name '] file is uploaded and stored on the server after the temporary file name, Generally system default, can be specified in php.ini upload_tmp_dir, but with putenv () function setting is not working      

$_files[' upfile ' [' Error '] and the file upload related errors code, [' error '] is added in PHP 4.2.0, the following is its description: (they became a constant after PHP3.0)

UPLOAD_ERR_OK value: 0; no error occurred, file upload succeeded

Upload_err_ini_size value: 1; The uploaded file exceeds the value of the Upload_max_filesize option limit in php.ini             

upload_err_form_size value: 2; the size of the uploaded file exceeds the value specified by the Max_file_size option in the HTML form         

upload_err_partial value: 3; file is only partially uploaded                   

upload_err_no_file value: 4; no file is uploaded, value: 5; upload file size is 0

File upload-do not filter +mime

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.