Shulou(Shulou.com)06/03 Report--

This article will explain in detail how to detect vulnerabilities through file names in web. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

1. Detect the file type and save it with the user's saved file name

The code is as follows:

If (isset ($_ FILES ['img']))

{

$file = save_file ($_ FILES ['img'])

If ($file===false) exit ('upload failed!')

Echo "saved successfully!" , $file

}

Function check_file ($img)

{

/ read the file

If ($img ['error'] > 0) return false

$tmpfile = $img ['tmp_name']

$filename = $img ['name']

/ read the file extension

$len=strrpos ($filename, ".")

If ($len===false) return false

/ / get the extension

$ext = strtolower (substr ($filename,$len+1))

If (! in_array ($ext,array ('jpg','jpeg','png') return false

Return true

}

Function save_file ($img)

{

If (! check_file ($img)) return false

/ / format check ok, ready to move data

$filename = $img ['name']

$newfile = "upload/". $filename

If (! move_uploaded_file ($img ["tmp_name"], $newfile)) return false

Return $newfile

}

? >

The above code, also made a judgment on the input type, there is no problem. However, the problem does arise precisely in the detection of the acquired username variables. Get the incoming user name directly and save it as a file. Some friends will say: these file names exist in my computer, and the file name format is limited by the definition of the file name by the operating system. However, it is important to note that for getting variables in $_ FILES, it comes directly from the http request request. It is the same as getting other get,post variables normally. Therefore, people with ulterior motives tend to simulate the browser themselves and send a special file name to the server. Then, when you save the file, you can save it in your own format.

In previous years, "\ 0" was saved as a file in a string and truncated automatically. For example, $filename is constructed as "a.php\ 0.jpg". Let's think about it, what will it become?

$newfile = "upload/a.php\ 0.jpg" because, for extension validation, rightmost "." The following character is jpg, which is allowed for picture format. However, we save as soon as we use the file name. It is found that the disk will generate a.php under the upload directory, and all characters after\ 0 will be truncated automatically.

The loophole was all the rage for a while. At that time, almost most of the web sites had loopholes. For a while, many platforms have been closed for uploading. In fact, this is the root cause. We got the file name and saved it as the final generated file name. A good way is to randomly generate the file name + read the extension. This allows you to organize the input of special characters that are discarded or truncated when the file is saved.

This vulnerability in the php4 era can be exploited. In the php5 era, the generated variable file name value will automatically filter out the "\ 0", so that no matter what special "\ 0" user name the user constructs, it will be truncated. However, currently such vulnerabilities are available on sites such as asp,jsp. And it shows up all the time. Older versions of php sites also appear frequently.

This is the end of the article on "how to detect vulnerabilities through file names in web". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.