[英]Is this script vulnerable to shell command bypass?
I'm using this script to receive base 64 encoded images from an Android app. 我正在使用此脚本从Android应用程序接收基本64位编码图像。 I was wondering if there's any way possible to bypass a PHP shell command inside a POST request and get it to work in the server, for example, sending the command shell encoded and a name like "shell.php", "shell.php%0delete0".
我想知道是否有可能绕过POST请求中的PHP shell命令并使其在服务器中工作,例如,发送命令shell编码和名称如“shell.php”,“shell.php% 0delete0" 。 According to the script, everything will be saved as .png, so I'd say it's safe, but maybe I'm wrong and the script is actually vulnerable to shell command uploads.
根据脚本,一切都将保存为.png,所以我说这是安全的,但也许我错了,脚本实际上容易受到shell命令上传的攻击。
<?php
header('charset=utf-8');
if($_SERVER['REQUEST_METHOD'] == 'POST') {
if(isset($_POST['image']) && isset($_POST['name'])) {
$image = $_POST['image'];
$name = $_POST['name'];
file_put_contents("/var/www/html/admigas/android/uploads/$name".strval(date('_Ym')).".png",base64_decode($image));
echo "Success";
} else {
echo "Wrong params";
}
} else {
echo "Nothing to do";
}
?>
So, let's look at the code step-by-step. 那么,让我们一步一步地看一下代码。 My comments are preceded by
#
: 我的评论前面是
#
:
<?php
header('charset=utf-8');
if($_SERVER['REQUEST_METHOD'] == 'POST') {
if(isset($_POST['image']) && isset($_POST['name'])) {
# This is provided by the user:
$image = $_POST['image'];
# This is provided by the user:
$name = $_POST['name'];
# Where does $name come from? User input, of course!
file_put_contents("/var/www/html/admigas/android/uploads/$name".strval(date('_Ym')).".png",base64_decode($image));
echo "Success";
} else {
echo "Wrong params";
}
} else {
echo "Nothing to do";
}
Consequently, sending name=../../../../reverse-shell.php%00
with a base64-encoded payload will allow an attacker to upload an arbitrary file (in this case, PHP code), and probably execute it on the subsequent PHP request. 因此,使用base64编码的有效负载发送
name=../../../../reverse-shell.php%00
将允许攻击者上传任意文件(在本例中为PHP代码),并且可能在随后的PHP请求中执行它。
Solution (presented in diff format): 解决方案(以diff格式显示):
- $name = $_POST['name'];
+ $name = preg_replace('#[^A-Za-z0-9\-_]#', '', $_POST['name']);
You definitely want to remove any non-URL-safe characters to prevent attacks. 您肯定希望删除任何非URL安全字符以防止攻击。 You may want to totally rethink your strategy, of course .
当然,您可能希望完全重新考虑您的策略 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.