Vulnerabilities on the web, analysis of their principles, and prevention methods (file name detection vulnerabilities)_PHP tutorial

We have gone through the previous article: , and we already know that the backend obtains server variables, many of which are passed in from the client. It is no different from ordinary get and post. Let’s take a look at the common vulnerable codes.
1. Detect the file type and save it with the user’s file name

Copy code The code is as follows:
if(isset($_FILES['img']))
{
$file = save_file($_FILES['img']);
if($file===false) exit('Failed to save!');

echo "Save successful!",$file;
}
function check_file($img)
{
///Read file
if($img['error']>0) return false;

$tmpfile = $img['tmp_name'];
$filename = $img['name'];


///Read file extension
$len=strrpos($filename,".");
if($len===false) return false;

//Get extension
$ext = strtolower(substr($filename,$len+1));
if(!in_array($ext,array('jpg','jpeg','png'))) return false;
return true;
}
function save_file($img)
{
if(!check_file($img)) return false;

//Format detection ok, prepare to move data
$filename = $img['name'];
$newfile = "upload/" .$filename;
if(!move_uploaded_file($img["tmp_name"],$newfile)) return false;

return $newfile;
}
?>

The above code also determines the input type, and there is no problem after reading it. But the problem does occur precisely in the detection of the obtained user name variable. Get the incoming username directly and save it as a file. Some friends will say: These file names all exist in my computer, and the file name formats are limited by the operating system's definition of file names. However, it should be noted that the variables obtained in $_FILES are directly from the http request request. It is the same as getting other get and post variables. Therefore, people with ulterior motives often simulate the browser themselves and send a special file name to the server. Then, when you save the file, you can save it in your own format normally.

A few years ago, when "" was included in a string and saved as a file, the following content would be automatically truncated. For example: $filename is structured as: "a.php.jpg", let's think about it, what will it become?
$newfile = “upload/a.php.jpg” Because, for extension verification, the characters following “.” on the far right are jpg, which is an allowed image format. But once we save it with that file name. It is found that the disk will generate a.php under the upload directory, and all subsequent characters will be automatically truncated.

This vulnerability became all the rage. At that time, almost most hosting websites had loopholes. For a while, many platforms closed their deposits. In fact, this is the fundamental reason. We got the file name and saved it as the final generated file name. A good way is to randomly generate the file name + read the extension yourself. This can prevent the input of special characters that are discarded or truncated when saving the file.

This vulnerability can be exploited in the php4 era. In the php5 era, "" will be automatically filtered out of the generated variable file name value, so that no matter what special "" username the user constructs, it will be truncated. However, currently this type of vulnerability exists in asp, jsp and other sites. It still appears frequently. Older versions of php sites will also appear frequently.
Okay, let’s stop here today. There are 2 other common methods, which will be given later! Welcome to communicate!

http://www.bkjia.com/PHPjc/372330.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/372330.htmlTechArticleWe have passed the previous article: Vulnerabilities on the web, analysis of their principles, and prevention methods (methods of storing secure files). Know that the backend obtains server variables, many of which are passed in from the client. Same as ordinary...