This article mainly introduces the file upload vulnerability for PHP Web site. Because the file Upload function implementation code does not strictly restrict the user to upload the file suffix and file type, which allows an attacker to upload arbitrary php files to a directory that can be accessed through the WEB, and the ability to pass these files to the PHP interpreter, you can execute any PHP script on the remote server, that is, file upload vulnerability.
A set of Web applications, generally provides the ability to upload files, so that visitors can upload some files.
Below is a simple file upload form
- <form action="upload.php" method="POST" enctype="Multipart/form-data" name= "Form1">
- <input type="file" name="file1" /><br />
- <input type="Submit" value= "upload file" />
- <input type="hidden" name="max_file_size" value="1024x768" />
- Form>
PHP configuration file php.ini, where option upload_max_filesize specifies the file size allowed to upload, default is 2M
$_files Array Variables
PHP uses variable $_files to upload a file, $_files is an array. If you upload Test.txt, the contents of the $_files array are:
- $FILES
- Array
- {
- [File] = Array
- {
- [Name] = test.txt //file name
- [Type] = Text/plain //mime type
- [Tmp_name] =/tmp/php5d.tmp //Temp file
- [ERROR] = 0 //error message
- [Size] = 536 //File size, Unit bytes
- }
- }
If the Upload file button's Name property value is file
- <input type="file" name="file" />
Then use $_files[' file ' [' name '] to get the client upload file name, without the path. Use $_files[' file ' [' Tmp_name '] to obtain a temporary file path for the server to save the uploaded file
The folder where the uploaded files are stored
PHP does not directly place the upload file in the root directory of the site, but rather as a temporary file, the name is $_files[' file ' [' Tmp_name '] value, the developer must copy this temporary file into the folder of the site.
The value of $_files[' file ' [' Tmp_name '] is set by PHP and is not the same as the original name of the file, and the developer must use $_files[' file ' [' name '] to get the original name of the uploaded file.
Error message when uploading a file
The $_files[' file ' [' ERROR '] variable is used to save the error message when uploading the file, and its value is as follows:
Error message |
Numerical |
Description |
Upload_err_ok |
0 |
No errors |
Upload_err_ini_size |
1 |
The size of the uploaded file exceeds the php.ini setting |
Upload_err_from_size |
2 |
The size of the uploaded file exceeds the max_file_size value in the HTML form |
Upload_err_partial |
3 |
Upload only part of the file |
Upload_err_no_file |
4 |
No file Upload |
File Upload Vulnerability
If you provide a site visitor the ability to upload pictures, you must be careful that the visitors upload the actual may not be a picture, but can specify the PHP program. If the directory where the picture is stored is an open folder, the intruder can execute the uploaded php file remotely for an attack.
Here is an example of a simple file upload:
- Php
- Set the directory where files are uploaded
- $Uploaddir = "d:/www/images/";
- Check if file exists
- if (Isset ($_files[' file1 '))
- {
- The full path to be placed in the site directory, including the file name
- $uploadfile = $uploaddir. $_files[' file1 ' [' name '];
- Move server-stored path to real file name
- Move_uploaded_file ($_files[' file1 ' [' tmp_name '], $uploadfile);
- }
- ?>
- ......
- <form method="POST" enctype="Multipart/form-data" name="Form1">
- <input type="file" name="file1" /><br />
- <input type="Submit" value= "upload file" />
- <input type="hidden" name="max_file_size" value="1024x768" />
- Form>
This example does not verify the file suffix, can upload arbitrary files, it is obvious that the upload vulnerability