PHP file upload question
Posted: Tue Oct 05, 2010 9:03 pm
Hi, I'm experimenting with different ways to stop PHP shell uploads, and some ways to bypass them. I'm trying it on my localhost. I'm messing around with verification through file extensions. Here's the code:
So I have two questions, why does that happen? Is there a way to get this to upload and parse it as a PHP file instead of an image? I mean so it actually executes the shell. And if there is what other precautions can you take to prevent people from uploading these shells? Thanks for any help, I'm trying to understand both sides here. I'm using PHP 5.3.1 by the way.
It does seem to work, here's where I have my question. I changed the file extension to file.php.jpg to see if it could bypass it and it did upload. When I browse to it though I get this:<?php
$blacklist = array(".php", ".phtml");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
It just prints out the path for some reason..
So I have two questions, why does that happen? Is there a way to get this to upload and parse it as a PHP file instead of an image? I mean so it actually executes the shell. And if there is what other precautions can you take to prevent people from uploading these shells? Thanks for any help, I'm trying to understand both sides here. I'm using PHP 5.3.1 by the way.