堆栈内存溢出
  简体   繁体   English

此脚本是否容易受到shell命令绕过?

[英]Is this script vulnerable to shell command bypass?

 原文  2017-03-21 19:17:10       php/ linux/ shell/ security/ file-upload

问题描述

I'm using this script to receive base 64 encoded images from an Android app. 我正在使用此脚本从Android应用程序接收基本64位编码图像。 I was wondering if there's any way possible to bypass a PHP shell command inside a POST request and get it to work in the server, for example, sending the command shell encoded and a name like "shell.php", "shell.php%0delete0". 我想知道是否有可能绕过POST请求中的PHP shell命令并使其在服务器中工作,例如,发送命令shell编码和名称如“shell.php”,“shell.php% 0delete0" 。 According to the script, everything will be saved as .png, so I'd say it's safe, but maybe I'm wrong and the script is actually vulnerable to shell command uploads. 根据脚本,一切都将保存为.png,所以我说这是安全的,但也许我错了,脚本实际上容易受到shell命令上传的攻击。 

<?php 
header('charset=utf-8');

if($_SERVER['REQUEST_METHOD'] == 'POST') {
    if(isset($_POST['image']) && isset($_POST['name'])) {
        $image = $_POST['image'];
        $name = $_POST['name'];
        file_put_contents("/var/www/html/admigas/android/uploads/$name".strval(date('_Ym')).".png",base64_decode($image));
        echo "Success";
    } else {
        echo "Wrong params";
    }
} else {
    echo "Nothing to do";
}

?>

1 个解决方案

解决方案1
 0  2017-03-21 19:56:15

So, let's look at the code step-by-step. 那么,让我们一步一步地看一下代码。 My comments are preceded by # : 我的评论前面是# 

<?php 
header('charset=utf-8');

if($_SERVER['REQUEST_METHOD'] == 'POST') {
    if(isset($_POST['image']) && isset($_POST['name'])) {
        # This is provided by the user:
        $image = $_POST['image'];
        # This is provided by the user:
        $name = $_POST['name'];
        # Where does $name come from? User input, of course!
        file_put_contents("/var/www/html/admigas/android/uploads/$name".strval(date('_Ym')).".png",base64_decode($image));
        echo "Success";
    } else {
        echo "Wrong params";
    }
} else {
    echo "Nothing to do";
}

Consequently, sending name=../../../../reverse-shell.php%00 with a base64-encoded payload will allow an attacker to upload an arbitrary file (in this case, PHP code), and probably execute it on the subsequent PHP request. 因此,使用base64编码的有效负载发送name=../../../../reverse-shell.php%00将允许攻击者上传任意文件(在本例中为PHP代码),并且可能在随后的PHP请求中执行它。

Solution (presented in diff format): 解决方案(以diff格式显示): 

-           $name = $_POST['name'];
+           $name = preg_replace('#[^A-Za-z0-9\-_]#', '', $_POST['name']);

You definitely want to remove any non-URL-safe characters to prevent attacks. 您肯定希望删除任何非URL安全字符以防止攻击。 You may want to totally rethink your strategy, of course . 当然,您可能希望完全重新考虑您的策略

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 CakePHP-Shell命令无法绕过beforeFilter - CakePHP - Shell command can't bypass beforeFilter 交互式外壳脚本命令行php - interactive shell script command line php 将linux shell脚本命令转换为php - converting a linux shell script command into php 如何使用Shell命令在php中执行python脚本? - How to execute a python script in php with a shell command? 外壳脚本中的sudo命令,由PHP调用 - sudo command inside shell script and called by PHP 使用UNIX&#39;at&#39;命令运行带有参数的Shell脚本 - Using UNIX 'at' command to run shell script with arguments 使用脚本外壳从PHP启动ADB命令 - Launch ADB command from PHP with script shell 如何从 php 脚本执行 shell 命令 - How to execute a shell command from a php script PHP CLI脚本中Shell命令的输出 - Output from shell command in PHP cli script 命令注入旁路滤波器 - Command injection bypass filter
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM