Home
PD

Patch PHP Arbitary File Upload


Rata-rata website yang vuln kebanyakan diupload memiliki garis besar seperti ini ..

contoh simple nya upload.php di bawah ini .. 

  1. <span style="color: #0000ff;">&lt;?php
  2. $uploaddir = 'uploads/'; // Relative path under webroot
  3. $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
  4. if (move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile)) {
  5. echo "File is valid, and was successfully uploaded.\n";
  6. } else {
  7. echo "File uploading failed.\n";
  8. }
  9. ?&gt;</span>

Contoh form yang di pakai dalam file index untuk upload :


  1. <span style="color: #0000ff;">&lt;form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata"&gt;
  2. Select the file to upload: &lt;input type="file" name="userfile"&gt;
  3. &lt;input type="submit" name="upload" value="upload"&gt;
  4. &lt;/form&gt;</span>
  5. <span style="color: #0000ff;">&lt;form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata"&gt;
  6. Select the file to upload: &lt;input type="file" name="userfile"&gt;
  7. &lt;input type="submit" name="upload" value="upload"&gt;
  8. &lt;/form&gt;</span>

Disini tidak ada code yang memfilter filetype.
jadi kita bisa langsung upload : shell.php

Patch bisa di lakulan adalah jika menambahkan filter filetype dalam script : shell.php
Contohnya :

  1. <span style="color: #0000ff;">&lt;?php
  2. if($_FILES['userfile']['type'] != "image/gif") {
  3. echo "Sorry, we only allow uploading GIF images";
  4. exit;
  5. }
  6. $uploaddir = 'uploads/';
  7. $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
  8. if (move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile)) {
  9. echo "File is valid, and was successfully uploaded.\n";
  10. } else {
  11. echo "File uploading failed.\n";
  12. }
  13. ?&gt;</span>

untuk "images/gif" bisa diganti dengan sesuai kebutuhan agan "images/jpg" dll ...

Cobaa kita liat background requests uploadnya 

  1. <span style="color: #0000ff;">POST /upload.php HTTP/1.1
  2. TE: deflate,gzip;q=0.3
  3. Connection: TE, close
  4. Host: localhost
  5. User-Agent: libwww-perl/5.803
  6. Content-Type: multipart/form-data;
  7. Content-Length: 156
  8. Content-Disposition: form-data; name="userfile"; filename="shell.php"
  9. HTTP/1.1 200 OK
  10. Date: Thu, 31 May 2007 13:54:01 GMT
  11. Server: Apache
  12. X-Powered-By: PHP/5.2.2-pl6-gentoo
  13. Connection: close
  14. Content-Type: text/html
  15. Sorry, we only allow uploading GIF images</span>

Happy Patching :)
Eat, Sleep, Coding. Repeat !

Post a Comment