TDOH-PIPE 201704
資訊安全讀書會

早上好!我是洋蔥

應該還是有人不認識我

讀書會歡迎大家
踴躍參與討論!

文件上傳漏洞

Unrestricted File Upload

顧名思義

駭客可以任意把檔案傳到伺服器上面去

可以幹嘛?

正確使用

不正確使用?

發生了什麼事!?

哎呀今天講上傳漏洞

一定是被你傳上去啦

駭客可以幹嘛?

  • 上傳可執行的文件,例如:PHP、JSP
  • 上傳釣魚網頁
  • 偷資料
  • 當跳板
  • 把機器搞到當機
  • 幫學校系統修 bug (?
  • etc

Some Upload Vul on exploit-db

怎麼發生?

可能出現的狀況

  • 未檢查檔案類型
  • 檔名沒過濾路徑
  • 伺服器設定有誤
  • etc...

我們來看看怎麼寫上傳

來看網路上的一段範例扣

<?php
if ($_FILES["file"]["error"] > 0){
 echo "Error: " . $_FILES["file"]["error"];
}else{
 echo "檔案名稱: " . $_FILES["file"]["name"]."<br/>";
 echo "檔案類型: " . $_FILES["file"]["type"]."<br/>";
 echo "檔案大小: " . ($_FILES["file"]["size"] / 1024)." Kb<br />";
 echo "暫存名稱: " . $_FILES["file"]["tmp_name"];
 
 if (file_exists("upload/" . $_FILES["file"]["name"])){
  echo "檔案已經存在,請勿重覆上傳相同檔案";
 }else{
  move_uploaded_file($_FILES["file"]["tmp_name"],"upload/".$_FILES["file"]["name"]);
 }
}

他們用什麼判斷類型?

$_FILES['userfile']['type']

$_FILES['userfile']['type']

The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

最常出現的問題

不要信任 MIME Type

使用者端的資料都不可信

  • 只檢查 MIME
  • 只檢查副檔名
  • 只檢查檔頭

Check if is a actual image

<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
?>

可是瑞凡,官方說別用

getimagesize()

Do not use getimagesize() to check that a given file is a valid image.

其實最危險的是 Google

web常见攻击六——文件上传漏洞

安全的图片验证类型可以这样写$uploaded_ext == “jpg” || $uploaded_ext == “JPG” || $uploaded_ext == “jpeg” || $uploaded_ext == “JPEG”),呵呵,也不难是吧,其实有些事情就这么简单,只是我们不知道而已。

<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
 
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
 
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
 
    echo '';
    echo 'Your image was not uploaded.';
    echo '';
 
} else {
 
    echo '';
    echo $target_path . ' succesfully uploaded!';
    echo '';
 
}
}
 
else{
 
echo '';
echo 'Your image was not uploaded.';
echo '';
}
}
 
?>;

還有什麼情況

  • 資料夾權限設置錯誤
  • 資料庫隱碼攻擊
  • 未阻擋上傳設定檔

正確的檔案檢查方式

finfo_open

課堂練習

環境安裝

備用環境

DVWA 設定

Create / Reset Database

admin

password

左下角 DVWA Security

Security Level 改 Low

Burp 設定

Q & A

Reference

Unrestricted File Upload - TDOH PIPE

By Albert Hsieh

Unrestricted File Upload - TDOH PIPE

什麼是網站上傳漏洞?駭客竟然只要上傳一個檔案就有可能拿下你的主機了?常見之網站上傳漏洞攻防解析就在 TDOH-PIPE 201704!

  • 1,932