The website provides an upload function, which is often found on many sites, including shopping malls, forums and some common network disk sites. On the Internet, we often hear that a certain site has an online vulnerability, and a certain open source project has an online vulnerability. Dynamic programs began to appear on the Internet, and vulnerabilities appear frequently in various systems like ghosts. Why does an online storage vulnerability appear so frequently? Moreover, some systems have been patched repeatedly but have not been successfully patched many times! In fact, the main problem still arises from the principle of storage. Let’s take a look first at the uploading process.
Analysis of the deposit process on the website
';<br> var_dump($_FILES);<br> echo '
The above is a simple test example, let’s take a look
Let’s analyze it:
name comes from the file name selected when uploading
type is the file type. Where does this type come from? Haha, this is very critical. Many times, many fans will think that this is generated automatically by the server. If you think so, I think it is possible. PHP encapsulates uploading, and it seems that it comes with its own class library. However, think about it on the other hand, no matter what format file you choose, there will be a format type. Thinking about it this way, we infer that this value may also come from user input. Let's capture the packet and see our type.
The type value also comes from the user input value.
size comes from the program's calculation of the file size, which is automatically calculated. Compared to what we all know.
What do you mean by saying so much?
I think some friends must have started to ask, what is the connection between the file format I analyzed above and the vulnerability in development. In fact, let's think about what was mentioned above, a file name name attribute, and a file type type attribute. It is often used when we store files on our server and process them on the back end. As a developer, when using these two variables, you must continue to implement the principle of "all code input is harmful". When you use it, treat it like other get and post variables. To detect, filter all input variables.
What we often do is to limit user input to a file in a certain format and then save it in that format. The analysis has come to this point. There are many areas that need to be analyzed further. Today I will give an outline first. Next, we will analyze these three common types of vulnerabilities.
1. Use user file names to generate files, and the filtering of special characters is not strict, resulting in vulnerabilities in file generation
2. When moving the file directory, the wrong directory
is generated due to the concatenation of the file names passed in by the user.
3. Believe that the user enters the type type and directly save the user’s file name as a file