PHP Vulnerability Full Solution (ix)-File Upload Vulnerability

This article mainly introduces the file upload vulnerability for PHP Web site. Because the file Upload function implementation code does not strictly restrict the user to upload the file suffix and file type, which allows an attacker to upload arbitrary php files to a directory that can be accessed through the WEB, and the ability to pass these files to the PHP interpreter, you can execute any PHP script on the remote server, that is, file upload vulnerability.

A set of Web applications, generally provides the ability to upload files, so that visitors can upload some files.

Below is a simple file upload form

2. <form action="upload.php" method="POST" enctype="Multipart/form-data" name= "Form1">
4. <input type="file" name="file1" /><br />
6. <input type="Submit" value= "upload file" />
8. <input type="hidden" name="max_file_size" value="1024x768" />
10. Form>

PHP configuration file php.ini, where option upload_max_filesize specifies the file size allowed to upload, default is 2M

$_files Array Variables

PHP uses variable $_files to upload a file, $_files is an array. If you upload Test.txt, the contents of the $_files array are:

1. $FILES
2. Array
3. {
4. [File] = Array
5. {
6. [Name] = test.txt //file name
7. [Type] = Text/plain //mime type
8. [Tmp_name] =/tmp/php5d.tmp //Temp file
9. [ERROR] = 0 //error message
10. [Size] = 536 //File size, Unit bytes
11. }
12. }

If the Upload file button's Name property value is file

1. <input type="file" name="file" />

Then use $_files[' file ' [' name '] to get the client upload file name, without the path. Use $_files[' file ' [' Tmp_name '] to obtain a temporary file path for the server to save the uploaded file

The folder where the uploaded files are stored

PHP does not directly place the upload file in the root directory of the site, but rather as a temporary file, the name is $_files[' file ' [' Tmp_name '] value, the developer must copy this temporary file into the folder of the site.

The value of $_files[' file ' [' Tmp_name '] is set by PHP and is not the same as the original name of the file, and the developer must use $_files[' file ' [' name '] to get the original name of the uploaded file.

Error message when uploading a file

The $_files[' file ' [' ERROR '] variable is used to save the error message when uploading the file, and its value is as follows:

Error message	Numerical	Description
Upload_err_ok	0	No errors
Upload_err_ini_size	1	The size of the uploaded file exceeds the php.ini setting
Upload_err_from_size	2	The size of the uploaded file exceeds the max_file_size value in the HTML form
Upload_err_partial	3	Upload only part of the file
Upload_err_no_file	4	No file Upload

File Upload Vulnerability

If you provide a site visitor the ability to upload pictures, you must be careful that the visitors upload the actual may not be a picture, but can specify the PHP program. If the directory where the picture is stored is an open folder, the intruder can execute the uploaded php file remotely for an attack.

Here is an example of a simple file upload:

2. Php
4. Set the directory where files are uploaded
6. $Uploaddir = "d:/www/images/";
8. Check if file exists
10. if (Isset ($_files[' file1 '))
12. {
14. The full path to be placed in the site directory, including the file name
16. $uploadfile = $uploaddir. $_files[' file1 ' [' name '];
18. Move server-stored path to real file name
20. Move_uploaded_file ($_files[' file1 ' [' tmp_name '], $uploadfile);
22. }
24. ?>
26. ......
28. <form method="POST" enctype="Multipart/form-data" name="Form1">
30. <input type="file" name="file1" /><br />
32. <input type="Submit" value= "upload file" />
34. <input type="hidden" name="max_file_size" value="1024x768" />
36. Form>

This example does not verify the file suffix, can upload arbitrary files, it is obvious that the upload vulnerability