A Brief Discussion on vulnerability on web and its Principle Analysis and Prevention Methods (Vulnerability detection of file name)
- 2020-06-23 00:02:10
- OfStack
We pass the preceding passage:
<
A Brief Discussion on web vulnerability and its principle analysis and Prevention methods (Storage method for security documents)
>
It is already known that the back end gets server variables, many of which are passed in from the client. There is no difference between get and post. Let's take a look at the common vulnerability code.
1. Detect the file type and save the file name with the user
Above code, the input type also made a judgment, see no problem. The problem, however, is precisely the detection of the retrieved username variable. Gets the incoming user name directly and saves it as a file. Some friends will say: these file names are in my computer, the file name format is limited by the operating system definition of the file name. However, it is important to note that for the $_FILES fetch variable, it comes directly from the http request request. It does the same thing as getting the other get,post variables 1. As a result, people with ulterior motives will often impersonate the browser and send a special file name to the server. Then, when you save the file, you can normally save it as your own format.
In previous years, "\0" saved as a file in a string would automatically truncate the rest. For example: $filename is constructed as: "a.php\0.jpg", let's think about what it will look like.
$newfile = "upload/ a.php \0.jpg" because, for extension validation, "far right". "followed by" jpg "is allowed in image format. But let's save 1 with that name. The found disk generates a.php under the upload directory, \0 all characters after which are automatically truncated.
The bug, popular 1. At the time, almost all websites had bugs. At 1 o 'clock, many platforms shut down. In fact, this is the root cause. We take the file name and save it as the final generated file name. A good approach is to randomly generate your own filename + read the extension. This allows you to organize the input of special characters that are discarded or truncated during file saving.
The vulnerability can be exploited in php4 era. In php5 era, "\0" will be automatically filtered out of the generated variable filename value, so that no matter what special "\0" user name the user constructs, it will be truncated. However, at present this kind of vulnerability, asp,jsp and other sites. And it comes up all the time. Older versions of the php site also appear frequently.
Ok, so that's it for today, and then there are 2 other common methods, given later! Welcome to exchange!
1. Detect the file type and save the file name with the user
if(isset($_FILES['img']))
{
$file = save_file($_FILES['img']);
if($file===false) exit(' Save failed! ');
echo " Save successfully! ",$file;
}
function check_file($img)
{
/// Read the file
if($img['error']>0) return false;
$tmpfile = $img['tmp_name'];
$filename = $img['name'];
/// Read file extensions
$len=strrpos($filename,".");
if($len===false) return false;
// Get an extension
$ext = strtolower(substr($filename,$len+1));
if(!in_array($ext,array('jpg','jpeg','png'))) return false;
return true;
}
function save_file($img)
{
if(!check_file($img)) return false;
// Format detection ok , ready to move data
$filename = $img['name'];
$newfile = "upload/" .$filename;
if(!move_uploaded_file($img["tmp_name"],$newfile)) return false;
return $newfile;
}
?>
Above code, the input type also made a judgment, see no problem. The problem, however, is precisely the detection of the retrieved username variable. Gets the incoming user name directly and saves it as a file. Some friends will say: these file names are in my computer, the file name format is limited by the operating system definition of the file name. However, it is important to note that for the $_FILES fetch variable, it comes directly from the http request request. It does the same thing as getting the other get,post variables 1. As a result, people with ulterior motives will often impersonate the browser and send a special file name to the server. Then, when you save the file, you can normally save it as your own format.
In previous years, "\0" saved as a file in a string would automatically truncate the rest. For example: $filename is constructed as: "a.php\0.jpg", let's think about what it will look like.
$newfile = "upload/ a.php \0.jpg" because, for extension validation, "far right". "followed by" jpg "is allowed in image format. But let's save 1 with that name. The found disk generates a.php under the upload directory, \0 all characters after which are automatically truncated.
The bug, popular 1. At the time, almost all websites had bugs. At 1 o 'clock, many platforms shut down. In fact, this is the root cause. We take the file name and save it as the final generated file name. A good approach is to randomly generate your own filename + read the extension. This allows you to organize the input of special characters that are discarded or truncated during file saving.
The vulnerability can be exploited in php4 era. In php5 era, "\0" will be automatically filtered out of the generated variable filename value, so that no matter what special "\0" user name the user constructs, it will be truncated. However, at present this kind of vulnerability, asp,jsp and other sites. And it comes up all the time. Older versions of the php site also appear frequently.
Ok, so that's it for today, and then there are 2 other common methods, given later! Welcome to exchange!