Monday, July 18, 2011

PHP Arbitrary File Upload Simple Patching

Saya akan membahas tentang cara simple mempatch PHP Arbitrary File Upload.
PHP Arbitary File Upload Patch


Kebanyakan website yang vuln diupload memiliki garis besar seperti ini:
Contoh simple upload.php file upload.
<?php
$uploaddir = 'uploads/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
Contoh form yang dipake dalam file index untuk upload:
<form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata">
Select the file to upload: <input type="file" name="userfile">
<input type="submit" name="upload" value="upload">
</form>
Disini tidak ada code yang memfilter upload filetype.
Jadi kita bisa langsung saja upload: shell.php
Patching yg bisa dilakukan adalah menambahkan filter filetype dalam script upload.php
Contohnya:
<?php
if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
Untuk “images/gif” bisa diganti dengan “images/jpg” dll…
Kita liat backgound request uploadnya
POST /upload.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost
User-Agent: libwww-perl/5.803
Content-Type: multipart/form-data;
Content-Length: 156
Content-Disposition: form-data; name="userfile"; filename="shell.php"
...
...
-
HTTP/1.1 200 OK
Date: Thu, 31 May 2007 13:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.2-pl6-gentoo
Connection: close
Content-Type: text/html
Sorry, we only allow uploading GIF images
Hehehe..
Happy Patching..
Post a Comment