Patch PHP Arbitary File Upload
Senin, 10 Desember 2018
Tulis Komentar
Rata-rata website yang vuln kebanyakan diupload memiliki garis besar seperti ini ..
contoh simple nya upload.php di bawah ini ..
- <span style="color: #0000ff;"><?php
- $uploaddir = 'uploads/'; // Relative path under webroot
- $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
- if (move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile)) {
- echo "File is valid, and was successfully uploaded.\n";
- } else {
- echo "File uploading failed.\n";
- }
- ?></span>
Contoh form yang di pakai dalam file index untuk upload :
- <span style="color: #0000ff;"><form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata">
- Select the file to upload: <input type="file" name="userfile">
- <input type="submit" name="upload" value="upload">
- </form></span>
- <span style="color: #0000ff;"><form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata">
- Select the file to upload: <input type="file" name="userfile">
- <input type="submit" name="upload" value="upload">
- </form></span>
Disini tidak ada code yang memfilter filetype.
jadi kita bisa langsung upload : shell.php
Patch bisa di lakulan adalah jika menambahkan filter filetype dalam script : shell.php
Contohnya :
- <span style="color: #0000ff;"><?php
- if($_FILES['userfile']['type'] != "image/gif") {
- echo "Sorry, we only allow uploading GIF images";
- exit;
- }
- $uploaddir = 'uploads/';
- $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
- if (move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile)) {
- echo "File is valid, and was successfully uploaded.\n";
- } else {
- echo "File uploading failed.\n";
- }
- ?></span>
untuk "images/gif" bisa diganti dengan sesuai kebutuhan agan "images/jpg" dll ...
Cobaa kita liat background requests uploadnya
- <span style="color: #0000ff;">POST /upload.php HTTP/1.1
- TE: deflate,gzip;q=0.3
- Connection: TE, close
- Host: localhost
- User-Agent: libwww-perl/5.803
- Content-Type: multipart/form-data;
- Content-Length: 156
- Content-Disposition: form-data; name="userfile"; filename="shell.php"
- HTTP/1.1 200 OK
- Date: Thu, 31 May 2007 13:54:01 GMT
- Server: Apache
- X-Powered-By: PHP/5.2.2-pl6-gentoo
- Connection: close
- Content-Type: text/html
- Sorry, we only allow uploading GIF images</span>
Happy Patching :)
Belum ada Komentar untuk "Patch PHP Arbitary File Upload "
Posting Komentar