Web-stored Vulnerabilities and principles analysis, prevention methods (file name detection vulnerability)

We passed the previous: <web on the existence of loopholes and principles of analysis, prevention methods (security file storage method), has been known back-end to obtain server variables, many from the client incoming. It's no different from ordinary get,post. Let's take a look at the Common Vulnerability Code.
1. Detect file type and save with user's filename

Copy Code code as follows:


if (isset ($_files[' img '))


{


$file = save_file ($_files[' img '));


if ($file ===false) exit (' Save failed! ');





echo "Save success!" ", $file;


}


function Check_file ($img)


{


///Read Files


if ($img [' Error ']&gt;0] return false;





$tmpfile = $img [' Tmp_name '];


$filename = $img [' name '];








///Read the file name extension


$len =strrpos ($filename, ".");


if ($len ===false) return false;





//Get extension


$ext = Strtolower (substr ($filename, $len + 1));


if (!in_array ($ext, array (' jpg ', ' jpeg ', ' png ')) return false;


return true;


}


function Save_file ($img)


{


if (!check_file ($IMG)) return false;





//Format detection OK, ready to move data


$filename = $img [' name '];


$newfile = "upload/". $filename;


if (!move_uploaded_file ($img ["Tmp_name"], $newfile)) return false;





return $newfile;


}


?&gt;

The above code, the input type also made a judgment, see no problem. However, the problem is precisely the detection of the user name variables obtained. Get the incoming user name directly, and then save as a file. Some friends will say: These file names are in My Computer, the file name format is limited by the operating system on the definition of the file name. However, it is necessary to note that for $_files to get the variable, it is directly from the HTTP request request. It is the same as normal access to other get,post variables. Therefore, people with ulterior motives often simulate their own browsers and send a special file name to the server. Then, when you save the file, you can normally save it in your own format.

Some years ago, in a string, saving as a file automatically truncates the following. For example: $filename construction: "A.php.jpg", we think, what will become?
$newfile = "upload/a.php.jpg" because, to verify the extension, the rightmost "." The back character is JPG, which is the allowed picture format. But we save it as a file name. The discovery disk generates a.php below the upload directory, and all subsequent characters are automatically truncated.

The vulnerability, rage. At that time, almost all of the sites had loopholes. For a while, many platforms were shut down and stored. In fact, the root cause is here. We got the filename and saved it as the final generated file name. The good way is to randomly generate the filename + read the extension. This allows the organization to enter special characters that are discarded or truncated when the file is saved.

The vulnerability of the PHP4 era can be exploited, and in the php5 era, the generated variable file name values automatically filter out "" so that no matter what the user constructs the special "" User name will be truncated. However, at present such vulnerabilities, such as sites in asp,jsp. There are also frequent occurrences. The old version of the PHP site will also appear frequently.
OK, here we go today, and there are 2 other common methods behind it. Welcome to the Exchange!