PHP Arbitrary File Upload Simple Patching

Saya akan membahas tentang cara simple mempatch PHP Arbitrary File Upload.

Kebanyakan website yang vuln diupload memiliki garis besar seperti ini:

Contoh simple upload.php file upload.

<?php
$uploaddir = 'uploads/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>

Contoh form yang dipake dalam file index untuk upload:

<form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata">
Select the file to upload: <input type="file" name="userfile">
<input type="submit" name="upload" value="upload">
</form>

Disini tidak ada code yang memfilter upload filetype.
Jadi kita bisa langsung saja upload: shell.php

Patching yg bisa dilakukan adalah menambahkan filter filetype dalam script upload.php
Contohnya:

<?php
if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>

Untuk “images/gif” bisa diganti dengan “images/jpg” dll…

Kita liat backgound request uploadnya

POST /upload.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost
User-Agent: libwww-perl/5.803
Content-Type: multipart/form-data;
Content-Length: 156
Content-Disposition: form-data; name="userfile"; filename="shell.php"
...
...
-
HTTP/1.1 200 OK
Date: Thu, 31 May 2007 13:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.2-pl6-gentoo
Connection: close
Content-Type: text/html
Sorry, we only allow uploading GIF images

Hehehe..
Happy Patching..