Transferred from the Prophet Community https://xz.aliyun.com/t/2443
0x00 Preface
Usually the site background can be configured to allow uploading attachments file type, general login background, add PHP type can upload php file Getshell. However, as the developer's awareness of security increases, developers may impose restrictions on the upload of specific file types such as PHP at the code level, sometimes using the unset function to destroy an indexed array that allows uploading of file types, such as: Array (' gif ', ' jpg ', ' jpeg ', ' bmp ', ' PNG ', ' php '), but using the unset function incorrectly does not get the effect of filtering restrictions.
0x01 Issue Details
Problem Description:
Recently in the process of auditing a CMS code, found the background limit file upload type code as follows:
$ext _limit $ext _limit ! = "? Parse_attr ($ext _limit): "; foreach as $vo ) { unset($ext _limit[$vo]);}
The purpose of this is to obtain the allowed upload file type $ext_limit in the configuration and convert to an array, regardless of whether or not the background adds a type file such as PHP, forcing the deletion of php,html,htm,js types from the arrays that allow the uploaded file type.
However, due to improper use of the unset function, its code cannot achieve this purpose. In particular, execute the following code:
$ext _limit = Array(' gif ', ' jpg ', ' jpeg ', ' BMP ', ' png ', ' php '); Var_dump ($ext _limit); foreach as $vo ) { unset($ext _limit[$vo]);} Var_dump ($ext _limit);
To get the output as follows, you can see that PHP has not been deleted
D:\wamp\www\test.php:15:Array(size=6) 0 =string' GIF ' (length=3) 1 =string' jpg ' (length=3) 2 =string' JPEG ' (length=4) 3 =string' BMP ' (length=3) 4 =string' PNG ' (length=3) 5 =string' PHP ' (length=3) D: \wamp\www\test.php:19:Array(size=6) 0 =string' GIF ' (length=3) 1 =string' jpg ' (length=3) 2 =string' JPEG ' (length=4) 3 =string' BMP ' (length=3) 4 =string' PNG ' (length=3) 5 =string' PHP ' (length=3)
Problem Analysis:
unset function of the use of instructions can refer to the PHP official website, the simple understanding is: Unset can destroy a variable, or according to the key value passed in, destroy the key value pairs specified in the array type.
For PHP indexed arrays, calling unset must call its corresponding numeric index to destroy the specified key-value pair. So if the parameter passed into the unset function is not an index, but the case of its value (as unset (' php ') here), the deletion of the key-value pair corresponding to PHP cannot be destroyed.
0x03 Repair method
Modify the above defects in the code as follows, mainly the enumeration index array as Key=>value, according to the value of the comparison, satisfies the condition when the corresponding key is passed into the unset function, thereby destroying the deletion.
$ext _limit=Array(' gif ', ' jpg ', ' jpeg ', ' BMP ', ' png ', ' PHP ');Var_dump($ext _limit);foreach([' php ', ' html ', ' htm ', ' JS '] as $vo) { foreach($ext _limit as $key=$value){ if($value===$vo){ unset($ext _limit[$key]); } } }Var_dump($ext _limit);
The output is as follows (the PHP corresponding key-value pair has been deleted):
D:\wamp\www\test.php:15:Array(size=6) 0 =string' GIF ' (length=3) 1 =string' jpg ' (length=3) 2 =string' JPEG ' (length=4) 3 =string' BMP ' (length=3) 4 =string' PNG ' (length=3) 5 =string' PHP ' (length=3) D: \wamp\www\test.php:23:Array(size=5) 0 =string' GIF ' (length=3) 1 =string' jpg ' (length=3) 2 =string' JPEG ' (length=4) 3 =string' BMP ' (length=3) 4 =string' PNG ' (length=3)
0X04 Summary
When using an indexed array, if you want to delete the specified key-value pair using unset destroy, remember to use the Enumeration index array as the Key=>value form, compare by value, and pass the corresponding key to the unset function when the condition is met .
PS: Security problem Analysis and mining is a developer and hacker the process of attack and defense, the point of confrontation is which side considered more comprehensive.
Problems caused by improper use of PHP indexed arrays +unset