[推荐]php-fusion的一个0day分析includes/update_profile_include.php ... $newavatar = $_FILES['user_avatar']; if ($userdata['user_avatar'] == "" && !empty($newavatar['name']) && is_uploaded_file($newavatar['tmp_name'])) { if (preg_match("/^[-0-9A-Z_\.\[\]]+$/i", $newavatar['name']) && $newavatar['size'] <= 30720) { $avatarext = strrchr($newavatar['name'],"."); if (eregi(".gif", $avatarext) || eregi(".jpg", $avatarext) || eregi(".png", $avatarext)) { $avatarname = substr($newavatar['name'], 0, strrpos($newavatar['name'], ".")); $avatarname = $avatarname."[".$userdata['user_id']."]".$avatarext; $set_avatar = "user_avatar='$avatarname', "; move_uploaded_file($newavatar['tmp_name'], IMAGES."avatars/".$avatarname); chmod(IMAGES."avatars/".$avatarname,0644); if ($size = @getimagesize(IMAGES."avatars/".$avatarname)) { if ($size['0'] > 100 || $size['1'] > 100) { unlink(IMAGES."avatars/".$avatarname); $set_avatar = ""; } } else { unlink(IMAGES."avatars/".$avatarname); $set_avatar = "";判断的伪代码:$newavatar['name']= $_GET[a]; //提交 a=1.php.php.gifa print preg_match("/^[-0-9A-Z_\.\[\]]+$/i", $newavatar['name']); //名字里可以有. $avatarext = strrchr($newavatar['name'],".");//取后缀 print eregi(".gif", $avatarext); //只要后缀里包含有.gif就ok了 那么我们可以提交1.php.php.gif $avatarname = substr($newavatar['name'], 0, strrpos($newavatar['name'], "."));取最文件名的前面的部分 $avatarname = $avatarname."[".$userdata['user_id']."]".$avatarext; $set_avatar = "user_avatar='$avatarname', "; print $avatarname; //1.php.php.gifa==>1.php.php[id号].gifa //move_uploaded_file($newavatar['tmp_name'], IMAGES."avatars/".$avatarname);
<?
在apache下是可以利用了[1],那么下面的getimagesize()的判断:
if ($size = @getimagesize(IMAGES."avatars/".$avatarname)) {
if ($size['0'] > 100 || $size['1'] > 100) { //可以利用关于paas getimagesize()的帖子构造图片 [2]
当时我是在官方下的v6.00.305测试的,不过无意中在milw0rm上已经有人发过了[3]。 :(
于是又到官方逛,在一个角落里发现了新点的版本:v6.01.10的Code:
您现在的位置: ........
if ($userdata['user_avatar'] == "" && !empty($newavatar['name']) && is_uploaded_file($newavatar['tmp_name'])) {
$avatarext = strrchr($newavatar['name'],".");
$avatarname = substr($newavatar['name'], 0, strrpos($newavatar['name'], "."));
if (preg_match("/^[-0-9A-Z_\[\]]+$/i", $avatarname) && preg_match("/(\.gif|\.GIF|\.jpg|\.JPG|\.png|\.PNG)
$/", $avatarext) && $newavatar['size'] <= 30720) {
$avatarname = $avatarname."[".$userdata['user_id']."]".$avatarext;
$set_avatar = "user_avatar='$avatarname', ";
move_uploaded_file($newavatar['tmp_name'], IMAGES."avatars/".$avatarname);
chmod(IMAGES."avatars/".$avatarname,0644);
if ($size = @getimagesize(IMAGES."avatars/".$avatarname)) {
if ($size['0'] > 100 || $size['1'] > 100) {
unlink(IMAGES."avatars/".$avatarname);
........
<?
$newavatar['name']= $_GET[a];
$avatarext = strrchr($newavatar['name'],".");
$avatarname = substr($newavatar['name'], 0, strrpos($newavatar['name'], "."));
print $avatarext."<br>";
print $avatarname."<br>";
print preg_match("/^[-0-9A-Z_\[\]]+$/i", $avatarname)."<br>"; //提取后缀的部分不可以有. [不可以提交1.php.gif这样的类型]
print preg_match("/(\.gif|\.GIF|\.jpg|\.JPG|\.png|\.PNG)$/", $avatarext)."<br>";
preg_match("/^[-0-9A-Z_\[\]]+$/i", $avatarname)
<?
$newavatar['name']= $_GET[a];
$avatarext = strrchr($newavatar['name'],".");
$avatarname = substr($newavatar['name'], 0, strrpos($newavatar['name'], "."));
print $avatarext."<br>";
print $avatarname."<br>";
print preg_match(""/^[-0-9A-Z_\.\[\]]+$/i"", $avatarname)."<br>"; //我们使用v6.00.305的正则.
print preg_match("/(\.gif|\.GIF|\.jpg|\.JPG|\.png|\.PNG)$/", $avatarext)."<br>";
preg_match(""/^[-0-9A-Z_\.\[\]]+$/i"", $avatarname) ===>1
preg_match("/(\.gif|\.GIF|\.jpg|\.JPG|\.png|\.PNG)$/", $avatarext) ===>0
preg_match("/(\.gif|\.GIF|\.jpg|\.JPG|\.png|\.PNG)$/", $avatarext)
move_uploaded_file($newavatar['tmp_name'], IMAGES."avatars/".$avatarname);
| 关于phpwind 5.01-5.3 0day的分析 | 04-09 | |
| PPPOE验证缺陷所带来的危害 | 03-21 | |
| Ce-Admin新闻发布系统漏洞分析 | 02-07 | |
| Discuz漏洞分析 | 11-28 | |
| 入侵检测PHP程序中的目录遍历漏洞 | 10-12 | |
| 主流入侵检测产品大比较 | 10-03 | |
| 一种新的带宽攻击方式(图) | 06-16 | |
| Javascript实现评估用户输入密码 | 05-30 | |
| 针锋相对:主要的反NIDS技术应用 | 05-22 | |
| dvbbs7.1sp1最新漏洞的研究和利用 | 05-13 | |
| IE mhtml redirection漏洞利用方 | 05-12 | |
| Php后门的隐藏技巧测试报告 | 05-11 | |