PHP File Upload Vulnerability Simple Analysis _php tutorial

Source: Internet
Author: User
Tags php file upload upload php
File Upload Vulnerability This problem is not in PHP is only the user in the program development may not do well, the previous ASP also exists file upload vulnerability, I would like to introduce the PHP file Upload vulnerability simple analysis and solutions.


Below is a simple file upload form

The code is as follows Copy Code

PHP configuration file php.ini, where option upload_max_filesize specifies the file size allowed to upload, default is 2M

$_files Array Variables

PHP uses variable $_files to upload a file, $_files is an array. If you upload Test.txt, the contents of the $_files array are:

The code is as follows Copy Code

$FILES

Array

{

[File] = Array

{

[Name] = test.txt//File name

[Type] = Text/plain//mime type

[Tmp_name] =/tmp/php5d.tmp//Temp file

[ERROR] = 0//error message

[Size] = 536//File size, per byte

}

}

If the Upload file button's Name property value is file

The code is as follows Copy Code

Then use $_files[' file ' [' name '] to get the client upload file name, without the path. Use $_files[' file ' [' Tmp_name '] to obtain a temporary file path for the server to save the uploaded file

The folder where the uploaded files are stored

PHP does not directly place the upload file in the root directory of the site, but rather as a temporary file, the name is $_files[' file ' [' Tmp_name '] value, the developer must copy this temporary file into the folder of the site.

The value of $_files[' file ' [' Tmp_name '] is set by PHP and is not the same as the original name of the file, and the developer must use $_files[' file ' [' name '] to get the original name of the uploaded file.

Error message when uploading a file

The $_files[' file ' [' ERROR '] variable is used to save the error message when uploading the file, and its value is as follows:

Error message Numeric description
UPLOAD_ERR_OK 0 No errors
Upload_err_ini_size 1 The size of the uploaded file exceeds the php.ini setting
Upload_err_from_size 2 The size of the uploaded file exceeds the max_file_size value in the HTML form
Upload_err_partial 3 upload only part of the file
Upload_err_no_file 4 No File Upload

File Upload Vulnerability

If you provide a site visitor the ability to upload pictures, you must be careful that the visitors upload the actual may not be a picture, but can specify the PHP program. If the directory where the picture is stored is an open folder, the intruder can execute the uploaded php file remotely for an attack.

Here is an example of a simple file upload:

The code is as follows Copy Code

Set the directory where files are uploaded
$uploaddir = "d:/www/images/";

Check if file exists
if (Isset ($_files[' file1 '))
{
The full path to be placed in the site directory, including the file name
$uploadfile = $uploaddir. $_files[' file1 ' [' name '];
Move server-stored path to real file name
Move_uploaded_file ($_files[' file1 ' [' tmp_name '], $uploadfile);
}
?>
......

This example does not check the file suffix, can upload arbitrary files, very obvious upload vulnerability, to solve the above problem is very simple, we see from a piece of code.

code as follows copy code
switch ($extension)
{
Case ' Application/msword ':
$extension = ' doc ';
Break,
case ' application/vnd.ms-excel ':
$extension = ' xls ';
Break
Case ' application/vnd.openxmlformats-officedocument.wordprocessingml.document ':
$extension = ' docx ';
Break
Case ' application/vnd.ms-powerpoint ':
$extension = ' ppt ',
Break,
case ' application/pdf ':
$ Extension = ' pdf ';
break;
Case ' Application/vnd.openxmlformats-officedocument.spreadsheetml.sheet ':
$extension = ' xlsx ';
break;
Default:
die (' only allow upload doc,docx,xls,pdf,ppt file re-upload ');

}

This is used to restrict the user to upload the type number or suffix name, so that can be filtered simply can't upload php directly, but we look at an example, you painted found too scary.

Use the Paint tool to create a new image format such as JPG or GIF or PNG, which must start with a GIF or JPG or PNG.

Write the PHP Web horse's head to GIF

The code is as follows Copy Code


Then write a simple php upload file processing (I am in a hurry to write casually, no sense of beauty):

if ($_files) {
Echo ' Below is the wrong $_files:
';
echo "

";
Print_r ($_files);
echo "
";

echo "The following is the wrong getimagesize ()
";
echo "

";
Print_r (getimagesize ($_files[' bug ' [' Tmp_name ']));
echo "
";
Exit
$fp = fopen ($_files[' bug ' [' Tmp_name '], "R");
$content = Fread ($fp, filesize ($_files[' bug ' [' Tmp_name ']));
Echo $content can see the uploaded source code
}
?>

You can see the effect of such a pit father.


First, the Print_r ($_files) directly shows the extended JPG result.
Then the result of PHP function getimagesize () is GIF (which is based on the paragraph at the beginning of the file).

PHP is not able to solve this problem, but we can operate from the server directory permissions, the following provides a number of solutions.

In fact, we seize a few places, we first to analyze, since the user to save the file, and the file will be a variety of formats, there may be some file content and user incoming format inconsistent, and some file content is also included in the Trojan code. Then, we let the user save the file, with the site file to do a separate authorization, do isolation.

Keep the storage directory separate, directory permissions read-only cannot be performed
This step is authorized from the system design, no matter what file you last, it is impossible to execute. Even if I do not do any testing, your files are stored here, and will not constitute a security system for me. (If you have a picture of some reactionary words, it needs to be dealt with separately)

Do not directly use the server incoming value, all to be detected

This kind of thing as we do all the input is a harmful principle, for the client incoming: type, name, should be judged, not directly used. For a file name to be generated to a directory.

The best way to file names is to write your own dead directory (do not read the incoming directory), the file name, preferably randomly generated, do not read the user file name. File extension, you can take the rightmost "." The following character.

The above 2 methods, just from 2 aspects of the overall constraints on the deposit.

Method 2: Save the file name, write to the directory you specified, and the file name is generated by itself.

Method 1: As long as the file is guaranteed to write to the location, and then from the configuration, the Write directory for permission control, this is a permanent solution. Can do, you no matter what file, you have no permission to jump out to run.

The above 2 methods, used together, can ensure that the file is stored correctly, and then the permissions can be controlled. Here, by the way, to determine whether the user's storage file to meet the required type, directly check the file name extension, as long as the extension to allow the storage. Anyway, do the enforcement permission limit, you do not as required to save content, also no harm. Anyway, can not be executed, nor how much harm.

Correct steps:
1. Read the file name to verify that the extension is within range

2. Define your own generated file name, directory, extension can come from the file name extension. Other values, which are configured on their own, do not read the contents of the storage

3. Move the file to a new directory (this directory permission is set to read only)

http://www.bkjia.com/PHPjc/629604.html www.bkjia.com true http://www.bkjia.com/PHPjc/629604.html techarticle file Upload Vulnerability This is not the problem in PHP is only our users may not do well in the program development, the previous ASP also exists file Upload vulnerability, below I come ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.