Php Upload bypass and defect experience explanation

1) GIF89ACounterfeit File Header upload.
Defect: The file only verifies whether the upload Type isImage/gifAnd so on,GIF89AYesCA32m
And so onDisassembly16HexadecimalObtained from the file header!

2) SQLQuery Bypass(Jizhu)
For example, $ token = explode (".", $ upload_filename );
.......................................
$ Extension = $ tokens [count ($ tokens)-1]; // get the last suffix
..............................
$ Result = forum_exec_query ("SELECT * From $ extensions_table WHERE extension = '$ extension' AND file_type = 'image'", $ link );
........................................ ........................................ ........ Vulnerability explanation required by GPC = off Apache
We upload files:
Shell. xsser. php. 'or 'A' = 'a closed:
...... Extension = ''or 'A' = 'A' AND file_type = 'image '.......NullOr 'A' = 'A'Or:ErrorOrPair=PairThis enables SQL queriesSuccessfulNow! AndApacheVulnerability explanationAvailableWebshell.
3) strrpos ()Function Vulnerabilities
First introduce the strrpos () function:
Definition and usage
The strrpos () function is used to locate the last occurrence of a string in another string.
If the operation is successful, the location is returned. Otherwise, false is returned.
Syntax
Strrpos (string, find, start)
Parameter description
String is required. Specifies the string to be searched.
Find is required. Specifies the characters to be searched.
Start is optional. Specifies the location where the search starts. View vulnerability formation code:
.........
$ Upfiletype = "gif | jpg ";
............
$ Size = $ _ FILES ['userfile'] ['SIZE'];
$ StrFileName = $ _ FILES ['userfile'] ['name'];
$ ArrName = explode (".", $ strFilename );
$ IntName = sizeof ($ arrName );
$ ExtName = strtolower ($ arrName [$ intName-1]); // gets the suffix of the uploaded file.
If (false! = Strrpos ($ upfiletype, $ extName) {}// the problem lies here.
Else {
Echo "you are not allowed to upload". $ extName. "Type Files ";
Exit;
}
........................................ ............... The program restricts the suffix to jpg and gif, right? But the strrpos function only readsA stringSuch:
Jpg hasPCharacter, so php also hasPCharacter. Required ORZ .... If it succeeds, false is not returned...
<? Php
If (flase! = Strrpos ('jpg ', 'php ')){
Echo "ture ";
} Else {
Echo "ORZ ";
}
?>
4) move_uploaded_file () + rename ()Functions and some logical Defects
Baidu search:ImgUpload V2.01Chinese VersionInsideUpload. php(The link between the number of words in the article is not pasted .)
Switch ($ _ FILES [$ whichfile] ['error ']
It is the size of the file you upload. A small Trojan can be bypassed.
$ Split_ext = explode (',', $ globalvars-> settings ['allowed _ ext ']);
$ Split_img = explode ('.', $ _ FILES [$ whichfile] ['name']);
// This file is uploaded for us, for example, after xsser. php explode is split$ Split_img [0]YesXsser $ Split_img [1]YesPhp
$ Globalvars-> settings ['allowed _ ext ']
Jpg: allow, jpeg: allow, png: allow, bmp: allow, gif: allow
$ Split_values = explode (':', $ split_ext [$ I]);
// Set the values above:Split it into jpg allow jpeg allow.
Assume that we uploadXsser.jpgSplit$ Split_img [0]YesXsser, And$ Split_img [1]YesJpg, Then$ Split_values [0]YesJpg,$ Split_values [1]YesAllow
If is followed to determine their relationship.
ThenMove_uploaded_fileMove our xsser.jpg
$ User_dat ['usrdir']. "/". $ _ FILES [$ whichfile] ['name']
In this directory.
This directory is generated by our user name registration, suchUser isXsserThen the directory isXsser.
If (move_uploaded_file ($ _ FILES [$ whichfile] ['tmp _ name'], $ user_dat ['usrdir']. "/". $ _ FILES [$ whichfile] ['name'])
If the slave successfully moves xsser.jpg to the xsser directoryTure.
ThenRenameRename xsser.jpg:
Rename ($ user_dat ['usrdir']. "/". $ _ FILES [$ whichfile] ['name'], $ user_dat ['usrdir']. "/". $ split_img [0]. ". ". strtolower
($ Split_img [1]);
StrtolowerThe function converts the file suffix to lowercase.
There is no problem, but the problem lies in the rename:
In WINDOWS, if you want to change the file name, there are two situations:
1. The file name cannot be repeated because the user name already exists.
2. The file name contains special characters.
Let's take a look at this judgment:
If ($ split_values [0] = strtolower ($ split_img [1]) & $ split_values [1] = "allow ")
We uploadXsser.jpg. php
$ Split_img [1]YesJpg $ Split_img [0]YesXsserOur$ Split_img [2]YesPhpThis if is not determined$ Split_img [2], YesBypass successful.
At the rename meeting belowRenameXsser.jpg
Rename ($ user_dat ['usrdir']. "/". $ _ FILES [$ whichfile] ['name'], $ user_dat ['usrdir']. "/". $ split_img [0] (xsser ). ". ".
Strtolower ($ split_img [1]) (jpg ));
// The brackets above are my comments.
What if we upload two parts?
First upload xsser.jpg. php-> rename xsser.jpg
Next, upload xsser.jpg. php-> rename xsser.jpg-> but the file exists.Cannot Be Renamed-> Xsser.jpg. php appears !!!
5)Programmer pairEmptyIncorrect understanding
Only_guest
$ NameExt = strtolower ($ COMMON-> getFileExtName ($ _ FILES ['filedata'] ['name']); $ allowedType = array ('jpg ', 'gif ', 'bmp ', 'png ',
'Jpeg '); if (! In_array ($ nameExt, $ allowedType) {$ msg = 0;} if (empty ($ msg) {$ filename = getmicrotime (). '.'. $ nameExt;
$ File_url = urlencode ($ CONFIG-> baseUrl. 'data/files/'. $ date. "/". $ filename );
 
$ Filename = $ dest. $ filename;
........................................ ....................
$ Msg = 0 then if (empty ($ msg) programmers understand empty errors and thinkEmptyAnd0-> flase 1-> tureThe. empty function only judges parameters.Empty or not, $ Msg = 0 is obviously not empty... Sorry ....
6)Program Defect 1:
Jannock
Code:
$ Filename = paramsFmt (urldecode ($ _ GET ["filename"]); // filename is completely controllable!
.............................
Then:
$ NameExt = strtolower ($ COMMON-> getFileExtName ($ _ FILES ['file'] ['name']);
$ UnallowedType = array ('php', 'jsp ', 'asp', 'sh', 'pl ', 'js', 'jar', 'jad ', 'class', 'java ');
If (in_array ($ nameExt, $ unallowedType )){
If ($ ft = '1 '){
Echo 'pe ';
} Else if ($ ft = '2 '){
Echo 'fe ';
}
Exit;
}
Well, I made a judgment on the program we uploaded.
...................................
$ FilenameNew = $ dest. $ filename; // completely controllable
If (empty ($ _ FILES ["file"] ['error']) {
Move_uploaded_file ($ _ FILES ["file"] ["tmp_name"], $ filenameNew); // uploaded.
........................................ ............................
Sorry.$ _ GET ["filename"]We canDirect assignment, DecisiveOverwrite BypassAh ~~~~~
7)Defects:
The ghost Brother UFIDA software will be used again
Xxx. php.This can be resolved as a php bypass.ExploadSplit ArrayVerify andXx. php.Some systems can explainPhp.
Repair judgment: Determines whether the last character is
For some WINDOWS systems, you can use xx. php (Leading Space)-> In WINDOWS, you can ignoreSpaceIn xx. php, we may also bypass some of their defenses!
PhpTruncation upload
Xxx.php(null .jpgIce.php000000.gif(% 00IsPhpTruncation characters requiredGPCIsOff,Also requiredPhpSupported versions)
What if gpc is enabled or php version is high? ReferenceHEX 20Change00
Some java program methods use the same php method, but in java, null isNo restrictionsHaha.
Some upload vulnerabilities:
Php3 php4 php5 php7
PHP
PHP3
Phtml
PHp->Case sensitivity
Pphphp-> (Filtered)-> Php
There are some amazing formats to hear about:
X. "php" x. 'php. HtaccessThe file is awesome. It works with CGI programs:
<FilesMatch "_php.gif">
SetHandler application/x-httpd-php
</FilesMatch>
File suffix ModificationShell.php.gifExplanationsPhp!
Vomit WB
Wonderful comments:
Hacx |
@ _ Error

<? Php
If (FALSE! = Strrpos ('jpg ', 'php ')){
Echo "ture ";
} Else {
Echo "ORZ ";
}
?>



Http://php.net/manual/zh/function.strrpos.php
(PHP 4, PHP 5)
Strrpos-calculate the position of the last occurrence of the specified string in the target string
Int strrpos (string $ haystack, string $ needle [, int $ offset = 0])
Returns the last numeric position of the needle in the haystack string. Note that in PHP4, the needle can only be a single character. If the needle is specified as a string, only the first character is used.