漏洞描述
开发中文件上传功能很常见,作为开发者,在完成功能的基础上我们一般也要做好安全防护。
文件处理一般包含两项功能,用户上传和展示文件,如上传头像。
文件上传攻击示例
upload.php
<"File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } "htmlcode"><form name="upload" action="upload1.php" method="POST" ENCTYPE="multipart/formdata"> Select the file to upload: <input type="file" name="userfile"> <input type="submit" name="upload" value="upload"> </form>上述代码未经过任何验证,恶意用户可以上传php文件,代码如下
<"htmlcode">
<"image/gif") {//获取Http请求头信息中ContentType echo "Sorry, we only allow uploading GIF images"; exit; } $uploaddir = 'uploads/'; $uploadfile = $uploaddir.basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)){ echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } "userfile"; filename="shell.php"
Content-Type: image/gif图片类型验证
该方法通过读取文件头中文件类型信息,获取文件类型
备注:如JPEG/JPG文件头标识为FFD8
upload.php
<"Sorry, we only accept GIF and JPEG images\n"; exit; } $uploaddir = 'uploads/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)){ echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } "text-align: center">文件扩展名验证
通过黑名单或白名单对文件扩展名进行过滤,如下代码
upload.php
<".php", ".phtml", ".php3", ".php4"); foreach ($blacklist as $item) { if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) { echo "We do not allow uploading PHP files\n"; exit; } } $uploaddir = 'uploads/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)){ echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } "htmlcode"><"File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } "htmlcode"><"htmlcode"><"upload_"); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { $db =& DB::connect("mysql://username:password@localhost/database"); if(PEAR::isError($db)) { unlink($uploadfile); die "Error connecting to the database"; } $res = $db->query("INSERT INTO uploads SET name=", array(basename($uploadfile,basename($_FILES['userfile']['name']),$_FILES['userfile']['type'])); if(PEAR::isError($res)) { unlink($uploadfile); die "Error saving data to the database. The file was not uploaded"; } $id = $db->getOne('SELECT LAST_INSERT_ID() FROM uploads'); echo "File is valid, and was successfully uploaded. You can view it <a href=\"view.php">here</a>\n"; } else { echo "File uploading failed.\n"; } "htmlcode"><"File id must be numeric"); } $db =& DB::connect("mysql://root@localhost/db"); if(PEAR::isError($db)) { die("Error connecting to the database"); } $file = $db->getRow('SELECT name, mime_type FROM uploads WHERE id="Error fetching data from the database"); } if(is_null($file) || count($file)==0) { die("File not found"); } header("Content-Type: " . $file['mime_type']); readfile($uploaddir.$file['name']); ?>上述代码文件名随机更改,文件被存储在web root之外,用户通过id在数据库中查询文件名,读取文件,可以有效的阻止上述漏洞发生
总结
通过以上示例分析,可总结一下几点
1.文件名修改,不使用用户上传的文件名
2.用户不可以通过上传路径直接访问文件
3.文件查看采用数据库获取文件名,从而在相应文件服务器读取文件
4.文件上传限制文件大小,个人上传数量等
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持。
广告合作:本站广告合作请联系QQ:858582 申请时备注:广告合作(否则不回)
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!暂无评论...
更新日志
2024年11月27日
2024年11月27日
- 凤飞飞《我们的主题曲》飞跃制作[正版原抓WAV+CUE]
- 刘嘉亮《亮情歌2》[WAV+CUE][1G]
- 红馆40·谭咏麟《歌者恋歌浓情30年演唱会》3CD[低速原抓WAV+CUE][1.8G]
- 刘纬武《睡眠宝宝竖琴童谣 吉卜力工作室 白噪音安抚》[320K/MP3][193.25MB]
- 【轻音乐】曼托凡尼乐团《精选辑》2CD.1998[FLAC+CUE整轨]
- 邝美云《心中有爱》1989年香港DMIJP版1MTO东芝首版[WAV+CUE]
- 群星《情叹-发烧女声DSD》天籁女声发烧碟[WAV+CUE]
- 刘纬武《睡眠宝宝竖琴童谣 吉卜力工作室 白噪音安抚》[FLAC/分轨][748.03MB]
- 理想混蛋《Origin Sessions》[320K/MP3][37.47MB]
- 公馆青少年《我其实一点都不酷》[320K/MP3][78.78MB]
- 群星《情叹-发烧男声DSD》最值得珍藏的完美男声[WAV+CUE]
- 群星《国韵飘香·贵妃醉酒HQCD黑胶王》2CD[WAV]
- 卫兰《DAUGHTER》【低速原抓WAV+CUE】
- 公馆青少年《我其实一点都不酷》[FLAC/分轨][398.22MB]
- ZWEI《迟暮的花 (Explicit)》[320K/MP3][57.16MB]