LOW
1if( isset( $_POST[ 'Upload' ] ) ) {
2 // Where are we going to be writing to?
3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
5
6 // Can we move the file to the upload folder?
7 // 完全没做过滤.
8 // 上传一个PHP文件也是可以的.
9 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
10 // No
11 echo '<pre>Your image was not uploaded.</pre>';
12 }
13 else {
14 // Yes!
15 echo "<pre>{$target_path} succesfully uploaded!</pre>";
16 }
17}
Medium
1if( isset( $_POST[ 'Upload' ] ) ) {
2 // Where are we going to be writing to?
3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
5
6 // File information
7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
8 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
9 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
10
11 // Is it an image?
12 // // 开始做了一些过滤
13
14 // 下面是官方对$_FILES 函数的描述
15 // [name] => MyFile.txt (comes from the browser, so treat as tainted)
16 // [type] => text/plain (not sure where it gets this from - assume the browser, so treat as tainted)
17 // [tmp_name] => /tmp/php/php1h4j1o (could be anywhere on your system, depending on your config settings, but the user has no control, so this isn't tainted)
18 // [error] => UPLOAD_ERR_OK (= 0)
19 // [size] => 123 (the size in bytes)
20
21 // 其中对name和type的description的描述都是 `treat as tainted`(被污染的)
22 // 这意味着它有可能会被修改 unsafe
23
24 // 我们可以尝试上传一个PHP文件,使用一些拦截请求工具,修改即将发出的请求.
25 // 来达到修改`name`中的后缀名和`type`中的媒体类型.
26 if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
27 ( $uploaded_size < 100000 ) ) {
28
29 // Can we move the file to the upload folder?
30 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
31 // No
32 echo '<pre>Your image was not uploaded.</pre>';
33 }
34 else {
35 // Yes!
36 echo "<pre>{$target_path} succesfully uploaded!</pre>";
37 }
38 }
39 else {
40 // Invalid file
41 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
42 }
43}
High
1if( isset( $_POST[ 'Upload' ] ) ) {
2 // Where are we going to be writing to?
3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
5
6 // File information
7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
8 // jpg
9 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
10
11 // file size
12 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
13
14 // tmp_name 是临时副本的名字
15 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
16
17 // Is it an image?
18 // 和上面的比起来多个一个文件后缀名的判断.
19 // strtolower 转小写
20 // 扩展名只要满足jpeg,png或者jpg就行
21 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
22 ( $uploaded_size < 100000 ) &&
23 // getimagesize 获取图像信息
24 // 这个函数保证你穿的一定得是个图像
25 // 可以用图片木马绕过
26 getimagesize( $uploaded_tmp ) ) {
27
28 // Can we move the file to the upload folder?
29 if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
30 // No
31 echo '<pre>Your image was not uploaded.</pre>';
32 }
33 else {
34 // Yes!
35 echo "<pre>{$target_path} succesfully uploaded!</pre>";
36 }
37 }
38 else {
39 // Invalid file
40 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
41 }
42}
High
1if( isset( $_POST[ 'Upload' ] ) ) {
2 // Where are we going to be writing to?
3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
5
6 // File information
7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
8 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
9 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
10 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
11
12 // Is it an image?
13 // 对比上面多验证了文件的后缀名
14 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
15 ( $uploaded_size < 100000 ) &&
16
17 // 函数会通过读取文件头,返回图片的长、宽等信息,如果没有相关的图片文件头,函数会报错
18 getimagesize( $uploaded_tmp ) ) {
19
20 // 可以看到,High级别的代码读取文件名中最后一个”.”后的字符串,期望通过文件名来限制文件类型
21 // 因此要求上传文件名形式必须是”*.jpg”、”*.jpeg” 、”*.png”之一
22 // 同时,getimagesize函数更是限制了上传文件的文件头必须为图像类型
23
24 // Can we move the file to the upload folder?
25 if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
26 // No
27 echo '<pre>Your image was not uploaded.</pre>';
28 }
29 else {
30 // Yes!
31 echo "<pre>{$target_path} succesfully uploaded!</pre>";
32 }
33 }
34 else {
35 // Invalid file
36 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
37 }
38}
Impossible
1if( isset( $_POST[ 'Upload' ] ) ) {
2 // Check Anti-CSRF token
3 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
4
5 // File information
6 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
7 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
8 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
9 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
10 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
11
12 // Where are we going to be writing to?
13 $target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
14 //$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
15
16 // MD5 加密
17 $target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
18 $temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
19 $temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
20
21 // Is it an image?
22 if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
23 ( $uploaded_size < 100000 ) &&
24 ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
25 getimagesize( $uploaded_tmp ) ) {
26
27 // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
28 if( $uploaded_type == 'image/jpeg' ) {
29 $img = imagecreatefromjpeg( $uploaded_tmp );
30 imagejpeg( $img, $temp_file, 100);
31 }
32 else {
33 $img = imagecreatefrompng( $uploaded_tmp );
34 imagepng( $img, $temp_file, 9);
35 }
36 imagedestroy( $img );
37
38 // Can we move the file to the web root from the temp folder?
39 if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
40 // Yes!
41 echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
42 }
43 else {
44 // No
45 echo '<pre>Your image was not uploaded.</pre>';
46 }
47
48 // Delete any temp files
49 if( file_exists( $temp_file ) )
50 unlink( $temp_file );
51 }
52 else {
53 // Invalid file
54 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
55 }
56}
57
58// Generate Anti-CSRF token
59generateSessionToken();
Extension
00%截断
1$is_upload = false;
2$msg = null;
3if(isset($_POST['submit'])){
4 // 白名单
5 $ext_arr = array('jpg','png','gif');
6 $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
7 if(in_array($file_ext,$ext_arr)){
8 $temp_file = $_FILES['upload_file']['tmp_name'];
9 // 注意这个位置
10 // 最后拼接的储存路径,是由用户提交上的数据来做为路径
11 $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
12
13 if(move_uploaded_file($temp_file,$img_path)){
14 $is_upload = true;
15 } else {
16 $msg = "上传失败";
17 }
18 } else {
19 $msg = "只允许上传.jpg|.png|.gif类型文件!";
20 }
21}
代码采用的白名单校验,只允许上传图片格式,理论上这个上传是不好绕过的。
但是后面采用保存文件的时候,是路径拼接的形式,而路径又是从前端获取,所以我们可以在路径上做手脚。
如下上传,显示文件路径中有个空格,这并不是真正意义上的空格,而是%00截断后显示成的空格。
在url中%00表示ascll码中的0 ,而ascii中0作为特殊字符保留,表示字符串结束,所以当url中出现%00时就会认为读取已结束 (php版本要小于5.3.4,5.3.4及以上已经修复该问题)