PHP圖像上傳腳本黑客或登錄繞過？

Question

我的一個托管空間網站昨天遭到攻擊，黑客通過電子郵件說我的一個產品圖片已更改為另一個圖片文件。 這是真的，因為他將簽名放在了舊圖像上（文件替換）。 此上傳腳本中是否存在一些安全漏洞？

  <?php ini_set("memory_limit", "200000000"); // for large images so that we do not get "Allowed memory exhausted"?> <?php include_once("configlogin.php"); include("funz.php"); // Check user logged in already: checkLoggedIn("yes"); // upload the file if ((isset($_POST["submitted_form"])) && ($_POST["submitted_form"] == "image_upload_form")) { $idimg=$_POST['idimg']; // file needs to be jpg,gif,bmp,x-png and 4 MB max if (($_FILES["image_upload_box"]["type"] == "image/jpeg") && ($_FILES["image_upload_box"]["size"] < 4000000)) { // QUI SCELGO LA DIMENSIONE FINALE DELL'IMMAGINE AL RESIZE $max_upload_width = 800; $max_upload_height = 600; // if user chosed properly then scale down the image according to user preferances if(isset($_REQUEST['max_width_box']) and $_REQUEST['max_width_box']!='' and $_REQUEST['max_width_box']<=$max_upload_width){ $max_upload_width = $_REQUEST['max_width_box']; } if(isset($_REQUEST['max_height_box']) and $_REQUEST['max_height_box']!='' and $_REQUEST['max_height_box']<=$max_upload_height){ $max_upload_height = $_REQUEST['max_height_box']; } // if uploaded image was JPG/JPEG if($_FILES["image_upload_box"]["type"] == "image/jpeg" || $_FILES["image_upload_box"]["type"] == "image/pjpeg"){ $image_source = imagecreatefromjpeg($_FILES["image_upload_box"]["tmp_name"]); } // if uploaded image was GIF if($_FILES["image_upload_box"]["type"] == "image/gif"){ $image_source = imagecreatefromgif($_FILES["image_upload_box"]["tmp_name"]); } // BMP doesn't seem to be supported so remove it form above image type test (reject bmps) // if uploaded image was BMP if($_FILES["image_upload_box"]["type"] == "image/bmp"){ $image_source = imagecreatefromwbmp($_FILES["image_upload_box"]["tmp_name"]); } // if uploaded image was PNG if($_FILES["image_upload_box"]["type"] == "image/x-png"){ $image_source = imagecreatefrompng($_FILES["image_upload_box"]["tmp_name"]); } $remote_file = "../immaginiprodotti/".$_FILES["image_upload_box"]["name"]; imagejpeg($image_source,$remote_file,100); chmod($remote_file,0644); // get width and height of original image list($image_width, $image_height) = getimagesize($remote_file); if($image_width>$max_upload_width || $image_height >$max_upload_height){ $proportions = $image_width/$image_height; if($image_width>$image_height){ $new_width = $max_upload_width; $new_height = round($max_upload_width/$proportions); } else{ $new_height = $max_upload_height; $new_width = round($max_upload_height*$proportions); } $new_image = imagecreatetruecolor($new_width , $new_height); $image_source = imagecreatefromjpeg($remote_file); imagecopyresampled($new_image, $image_source, 0, 0, 0, 0, $new_width, $new_height, $image_width, $image_height); imagejpeg($new_image,$remote_file,100); imagedestroy($new_image); } imagedestroy($image_source); rename ($remote_file, "../immaginiprodotti/$idimg.jpg"); header("Location: prodotti.php"); exit; } else{ header("Location: prodotti.php"); exit; } } ?> checkPass($login, $password) { $login= mysql_real_escape_string($login); $password= mysql_real_escape_string($password); $login=addslashes($login); $password=addslashes($password); global $link; $query="SELECT login, password FROM users WHERE login='$login' and password='$password'"; $result=mysql_query($query, $link) or die("checkPass fatal error: ".mysql_error()); // Check exactly one row is found: if(mysql_num_rows($result)==1 AND !preg_match("[a-z0-9]", $login) AND !preg_match("[a-z0-9]", $password ) ) { $row=mysql_fetch_array($result); return $row; } //Bad Login: return false; } // end func checkPass($login, $password) 

腳本的第二部分是登錄控制功能（來自包含的配置文件）是否也可以通過sql-injection繞過此checkPass（）函數以直接進入受保護的上傳頁面？

謝謝

Answer 1

您的代碼非常不安全。 您直接使用USER-SUPPLIED文件名作為目標“寫入此文件”名稱。 用戶在其中指定完整路徑是非常重要的，您的代碼會在您希望的任何地方隨心所欲地隨意繪制其圖像：

    $remote_file = "../immaginiprodotti/".$_FILES["image_upload_box"]["name"];
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    imagejpeg($image_source,$remote_file,100);

例如，考慮某人偽造了一個上傳文件，並做了相當於

 image_upload_box['name'] = '../../../../../../home/sites/example.com/imgs/site-logo.jpg';

您還容易受到sql注入攻擊的攻擊 ：

這行使密碼“安全”：

 $password= mysql_real_escape_string($password);

而且由於某些未知原因，您可以使用addslashes（）將字符串雙重轉義：

 $password=addslashes($password);

重新打開注入漏洞。 addslashes（）完全是無用的moronic垃圾。 您應該通過手術從大腦中刪除任何有關其存在的知識。 它不支持Unicode，並且將允許注入攻擊。

除此之外，mysql _ *（）函數已過時/已過時，您應該廢棄所有這些代碼，並使用適當的已准備好的語句和占位符從mysqli（請注意i ）或PDO從頭開始。

您的preg_match()調用也不正確，從而使整個正則表達式無用。 您還可以嘗試在完成添加斜杠之后進行正則表達式測試，這意味着像Miles O'Brien這樣的專有名稱將被拒絕，因為addlashes / real_escape_string會將其轉換為Miles O\\\\'Brien並將被拒絕。