Friday, December 14, 2012

0 PHP Arbitrary File Upload Simple Patching

Date: Friday, December 14, 2012 6:04 PM
Category:
Author: Unknown
Share:
Responds: 0 Comment
Saya akan membahas tentang cara simple mempatch PHP Arbitrary File Upload.
PHP Arbitary File Upload Patch
Kebanyakan website yang vuln diupload memiliki garis besar seperti ini:
Contoh simple upload.php file upload.
1
2
3
4
5
6
7
8
9
<span style="color: #0000ff;">&lt;?php
$uploaddir = 'uploads/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?&gt;</span>
Contoh form yang dipake dalam file index untuk upload:
1
2
3
4
<span style="color: #0000ff;">&lt;form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata"&gt;
Select the file to upload: &lt;input type="file" name="userfile"&gt;
&lt;input type="submit" name="upload" value="upload"&gt;
&lt;/form&gt;</span>
Disini tidak ada code yang memfilter upload filetype.
Jadi kita bisa langsung saja upload: shell.php
Patching yg bisa dilakukan adalah menambahkan filter filetype dalam script upload.php
Contohnya:
1
2
3
4
5
6
7
8
9
10
11
12
13
<span style="color: #0000ff;">&lt;?php
if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?&gt;</span>
Untuk “images/gif” bisa diganti dengan “images/jpg” dll…
Kita liat backgound request uploadnya
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<span style="color: #0000ff;">POST /upload.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost
User-Agent: libwww-perl/5.803
Content-Type: multipart/form-data;
Content-Length: 156
Content-Disposition: form-data; name="userfile"; filename="shell.php"
...
...
-
HTTP/1.1 200 OK
Date: Thu, 31 May 2007 13:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.2-pl6-gentoo
Connection: close
Content-Type: text/html
Sorry, we only allow uploading GIF images</span>
Hehehe..
Happy Patching..

Artikel Terkait :



Post a Comment