PHP Vulnerability Full Solution (ix)-File Upload Vulnerability

Source: Internet
Author: User

This article mainly introduces the file upload vulnerability for PHP Web site. Because the file Upload function implementation code does not strictly restrict the user to upload the file suffix and file type, which allows an attacker to upload arbitrary php files to a directory that can be accessed through the WEB, and the ability to pass these files to the PHP interpreter, you can execute any PHP script on the remote server, that is, file upload vulnerability.

A set of Web applications, generally provides the ability to upload files, so that visitors can upload some files.

Below is a simple file upload form

  1. <form action="upload.php" method="POST" enctype="Multipart/form-data" name= "Form1">
  2. <input type="file" name="file1" /><br />
  3. <input type="Submit" value= "upload file" />
  4. <input type="hidden" name="max_file_size" value="1024x768" />
  5. Form>

PHP configuration file php.ini, where option upload_max_filesize specifies the file size allowed to upload, default is 2M

$_files Array Variables

PHP uses variable $_files to upload a file, $_files is an array. If you upload Test.txt, the contents of the $_files array are:

    1. $FILES
    2. Array
    3. {
    4. [File] = Array
    5. {
    6. [Name] = test.txt //file name
    7. [Type] = Text/plain //mime type
    8. [Tmp_name] =/tmp/php5d.tmp //Temp file
    9. [ERROR] = 0 //error message
    10. [Size] = 536 //File size, Unit bytes
    11. }
    12. }

If the Upload file button's Name property value is file

    1. <input type="file" name="file" />

Then use $_files[' file ' [' name '] to get the client upload file name, without the path. Use $_files[' file ' [' Tmp_name '] to obtain a temporary file path for the server to save the uploaded file

The folder where the uploaded files are stored

PHP does not directly place the upload file in the root directory of the site, but rather as a temporary file, the name is $_files[' file ' [' Tmp_name '] value, the developer must copy this temporary file into the folder of the site.

The value of $_files[' file ' [' Tmp_name '] is set by PHP and is not the same as the original name of the file, and the developer must use $_files[' file ' [' name '] to get the original name of the uploaded file.

Error message when uploading a file

The $_files[' file ' [' ERROR '] variable is used to save the error message when uploading the file, and its value is as follows:

Error message Numerical Description
Upload_err_ok 0 No errors
Upload_err_ini_size 1 The size of the uploaded file exceeds the php.ini setting
Upload_err_from_size 2 The size of the uploaded file exceeds the max_file_size value in the HTML form
Upload_err_partial 3 Upload only part of the file
Upload_err_no_file 4 No file Upload

File Upload Vulnerability

If you provide a site visitor the ability to upload pictures, you must be careful that the visitors upload the actual may not be a picture, but can specify the PHP program. If the directory where the picture is stored is an open folder, the intruder can execute the uploaded php file remotely for an attack.

Here is an example of a simple file upload:

  1. Php
  2. Set the directory where files are uploaded
  3. $Uploaddir = "d:/www/images/";
  4. Check if file exists
  5. if (Isset ($_files[' file1 '))
  6. {
  7. The full path to be placed in the site directory, including the file name
  8. $uploadfile = $uploaddir. $_files[' file1 ' [' name '];
  9. Move server-stored path to real file name
  10. Move_uploaded_file ($_files[' file1 ' [' tmp_name '], $uploadfile);
  11. }
  12. ?>
  13. ......
  14. <form method="POST" enctype="Multipart/form-data" name="Form1">
  15. <input type="file" name="file1" /><br />
  16. <input type="Submit" value= "upload file" />
  17. <input type="hidden" name="max_file_size" value="1024x768" />
  18. Form>

This example does not verify the file suffix, can upload arbitrary files, it is obvious that the upload vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.