PHP arbitrary file upload vulnerability

Vulnerability details:

This vulnerability exists in a very commonly used function in PHP: move_uploaded_files. Developers always use this function to move uploaded files. This function will check whether the uploaded file is a legal file ( Whether it is uploaded through the HTTP post mechanism), if it is a legal file, it must be placed in the specified directory.

Example:

move_uploaded_file ( string $filename , string $destination ) The problem here is that null characters can be inserted into the file name (this vulnerability has been fixed many times before, such as CVE-2006-7243), using the insertion of null characters In this way, attackers can upload arbitrary files, causing remote code execution vulnerabilities, etc.

I am using DVWA to demonstrate this example. The highest level question in DVWA is not easy to pass due to various reasons. It is intended to tell developers how to develop a more secure file upload component. Let's take a look at this example:

Code snippet:

$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); $uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
$html .= '';
$html .= 'Your image was not uploaded.';
$html .= ''; }
else {
$html .= $target_path . ' successfully uploaded!';
.
.

There is a lot of code in this code There are several vulnerabilities, such as XSCH, XSS, etc., but there are no serious vulnerabilities like RCE, because starting from PHP 5.3.1, the problem of null characters has been fixed. The problem here is that DVWA passes the name parameter uploaded by the user to the move_upload_file() function, so the operation performed by PHP may be like this:

move_uploaded_file($_FILES['name']['tmp_name']," /file.phpx00.jpg"); This should create a file called file.phpx00.jpg, but the file actually created is file.php.

In this way, the verification of the suffix name in the code is bypassed, and it turns out that many other functions in the GD library also have this problem (such as getimagesize(), imagecreatefromjpeg()...etc.), you can see this example.

If your machine’s PHP version is 5.4.39, 5.5.x – 5.5.23, or 5.6.x – 5.6.7, you can solve the problem described in this article by checking whether there are x00 characters in the file name.

Security recommendations If this vulnerability exists on your machine, it is recommended to use a random string to rename the file name instead of using the value of the name parameter uploaded by the user.