Page 1 of 1

PHP file upload question

Posted: Tue Oct 05, 2010 9:03 pm
by iliekphp
Hi, I'm experimenting with different ways to stop PHP shell uploads, and some ways to bypass them. I'm trying it on my localhost. I'm messing around with verification through file extensions. Here's the code:

<?php

$blacklist = array(".php", ".phtml");

foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
}

$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
It does seem to work, here's where I have my question. I changed the file extension to file.php.jpg to see if it could bypass it and it did upload. When I browse to it though I get this:
It just prints out the path for some reason..

So I have two questions, why does that happen? Is there a way to get this to upload and parse it as a PHP file instead of an image? I mean so it actually executes the shell. And if there is what other precautions can you take to prevent people from uploading these shells? Thanks for any help, I'm trying to understand both sides here. I'm using PHP 5.3.1 by the way.

Re: PHP file upload question

Posted: Wed Oct 06, 2010 1:19 pm
by twinedev
Firefox will print the path of the file if it sees a file is there, but it doesn't detect that it is an actual image like it is expecting.

Another good thing to look for is search the file for <? and <?php tags to try to catch them scripts.

-Greg

Re: PHP file upload question

Posted: Wed Oct 06, 2010 1:22 pm
by Monotoko
Also search for other "script-like" things such as the ASP opening tags or "print" and "echo".

I once had someone upload and remotely execute a python script that did quite a bit of damage, searching for known and used functions usually puts a stop to it.

Re: PHP file upload question

Posted: Wed Oct 06, 2010 5:02 pm
by iliekphp
Monotoko wrote:Also search for other "script-like" things such as the ASP opening tags or "print" and "echo".

I once had someone upload and remotely execute a python script that did quite a bit of damage, searching for known and used functions usually puts a stop to it.
Thanks, that's a pretty good idea I hadn't though of that yet.
twinedev wrote:Firefox will print the path of the file if it sees a file is there, but it doesn't detect that it is an actual image like it is expecting.
So it has to do with the browser? Cause I tried it on internet explorer and it just printed out the PHP code, are there any browsers that detect it as a script?

Re: PHP file upload question

Posted: Thu Oct 07, 2010 11:37 am
by flying_circus
Kai has posted some good information on this subject (uploading files), so run a search in this forum.

What exactly are you trying to accomplish?

You should never trust any files that your users upload. Ideally you would want to store uploaded files outside of the document root, so that they cannot be directly accessed. You want to strip the file name and extension, but keep track of these in a database, and rename the file to some unique key that you also store in the database. To access the files, you'll want to create a proxy page to access them.

When you try to serve the file to the user, they'll access it like:
http://www.example.org?getfile=*unique_id*.

At this point, your script will query the database for the unique id, then send the file, with its original name, to the user to download.

This type of a system will allow you to accept uploads and redistribute them to your users as downloads, but your server will never try to execute them.

Re: PHP file upload question

Posted: Sun Oct 10, 2010 5:52 am
by iliekphp
I apologize for replying so late. I just didn't have time to do much for the last couple of days, sorry again.

What I'm trying to accomplish is just figuring out how all this works, I'm not really trying to accomplish anything on a specific project. Thanks for the information you posted, and the information about "Kai" which I'll be sure to search for. This solves my first question about a more secure option for file uploading. I still have one though that wasn't really completely answered. Why doesn't uploading it as soandso.php.jpg work? It uploads, but the server seems to read it improperly or something (see original post). What causes that? Is there a way to make that work? And if there isn't, wouldn't that in itself be enough to secure your uploading script?