kebanyakan website yang vuln diupload memiliki garis besar seperti ini:
contoh simple upload.php file upload.
<?phpcontoh form yang dipake dalam file index untuk upload
$uploaddir = ‘uploads/’; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo “File is valid, and was successfully uploaded.\n”;
} else {
echo “File uploading failed.\n”;
}
?>
disini tidak ada code yang menfilter upload filetype<form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata"> Select the file to upload: <input type="file" name="userfile"> <input type="submit" name="upload" value="upload"> </form>
jadi kita bisa langsung saja upload shell.php
patching yg bisa dilakukan adalah menambahkan filter filetype dalam script upload.php
contohnya:
<?phpuntuk “images/gif” bisa diganti dengan “images/jpg” dll…
if($_FILES['userfile']['type'] != “image/gif”) {
echo “Sorry, we only allow uploading GIF images”;
exit;
}
$uploaddir = ‘uploads/’;
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo “File is valid, and was successfully uploaded.\n”;
} else {
echo “File uploading failed.\n”;
}
?>
kita liat backgound request uploadnya
POST /upload.php HTTP/1.1hehehe
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost
User-Agent: libwww-perl/5.803
Content-Type: multipart/form-data;
Content-Length: 156
Content-Disposition: form-data; name=”userfile”; filename=”shell.php”
…
…
-
HTTP/1.1 200 OK
Date: Thu, 31 May 2007 13:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.2-pl6-gentoo
Connection: close
Content-Type: text/html
Sorry, we only allow uploading GIF images
Happy Patching..
0 comments:
Post a Comment