web常见攻击六——文件上传漏洞 - 网站安全 - 自

我是在dvwa（Damn Vulnerable Web App）上学到的这些东西，我把dvwa安装在了我的免费空间上，有兴趣的可以看看。 DVWA

想要用户名和密码的可以联系我：sq371426@163.com

dvwa 用的验证是google提供的，详情见google CAPCTHE

文件上传漏洞就是对用户上传的文件类型判断不完善，导致攻击者上传非法类型的文件，从而对网站进行攻击。

以上传图片为例进行介绍，下面来看初级的程序。

<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename( $_FILES['uploaded']['name']); if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } ?>

这段程序没有对图片类型及大小进行任何判断，就对文件进行上传，很容易产生文件攻击。

下面这段程序对文件大小及类型进行验证

<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename($_FILES['uploaded']['name']); $uploaded_name = $_FILES['uploaded']['name']; $uploaded_type = $_FILES['uploaded']['type']; $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } else{ echo '<pre>Your image was not uploaded.</pre>'; } } ?>

很多人都会用$uploaded_type == ]image/jpeg]对图片类型进行验证，可是这样依然是不安全的。

<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename($_FILES['uploaded']['name']); $uploaded_name = $_FILES['uploaded']['name']; $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } else{ echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } } ?>

安全的图片验证类型可以这样写$uploaded_ext == ]jpg] || $uploaded_ext == ]JPG] || $uploaded_ext == ]jpeg] || $uploaded_ext == ]JPEG])，呵呵，也不难是吧，其实有些事情就这么简单，只是我们不知道而已。

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://www.haodehen.cn/did15685

更新时间：2022-09-13 阅读：106次