Page 1 of 1
How was my image upload script exploited
Posted: Sat Sep 08, 2007 10:02 pm
by dapaintballer331
Somehow users uploaded a file called "muhacir.php" to my image upload folder, and used it to delete EVERYTHING on my website.
How did they get a .jpeg/.gif extension file to upload&rename&execute?
I know mime types can be spoofed, so I thought file extensions would work.
If that isn't the case, how did they upload a .php file? I tried using null bytes on my own server and even that wouldn't work, the filename was still .php%00.jpeg
Any ideas?
Posted: Sat Sep 08, 2007 10:09 pm
by John Cartwright
We will have to see your code.
Posted: Sun Sep 09, 2007 5:21 am
by VladSun
As far as I understood you've tried this:
http://ha.ckers.org/blog/20070604/passi ... imagesize/
Yes, we will need your code

Re: How was my image upload script exploited
Posted: Sun Sep 09, 2007 7:06 am
by superdezign
dapaintballer331 wrote:I know mime types can be spoofed, so I thought file extensions would work.
You think MIME types are easier to spoof than file extensions?
Re: How was my image upload script exploited
Posted: Sun Sep 09, 2007 7:58 am
by feyd
superdezign wrote:dapaintballer331 wrote:I know mime types can be spoofed, so I thought file extensions would work.
You think MIME types are easier to spoof than file extensions?
Both are easy to fake.
Posted: Sun Sep 09, 2007 1:27 pm
by dapaintballer331
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Code: Select all
if(isset($Submit)){
$file=$_FILES['imagefile']['name'];
$filetype=substr($file,-4);
if (!file_exists('upload/'.$_FILES['imagefile']['name'])) {
if($filetype=="jpeg"|$filetype==".gif"|$filetype==".png"|$filetype==".jpg"|$filetype==".bmp"){
copy($_FILES['imagefile']['tmp_name'],"upload/".$_FILES['imagefile']['name'])
or die("Could not copy");
echo"<br>Upload Complete";
echo"<br>Name: ".$_FILES['imagefile']['name']."";
echo"<br>Size: ".$_FILES['imagefile']['size']." bytes";
echo"<br>URL: " . $filelocation . "upload/" . $_FILES['imagefile']['name'];
echo"<br>Type: ".$_FILES['imagefile']['type']."<br>";
}else{
echo"<br>Upload Error";
echo"<br>Could Not Copy, Wrong Filetype (".$_FILES['imagefile']['name'].")<br>";
}
} else {
echo 'A image with the same name already exists. Feel free to rename your file then reupload.';
}
}
Honestly I didn't write the code, but I couldn't have done any better, if I give them direct access to the file like this script does.
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Sun Sep 09, 2007 1:53 pm
by jmut
dapaintballer331 wrote:Code: Select all
if(isset($Submit)){
$file=$_FILES['imagefile']['name'];
$filetype=substr($file,-4);
if (!file_exists('upload/'.$_FILES['imagefile']['name'])) {
if($filetype=="jpeg"|$filetype==".gif"|$filetype==".png"|$filetype==".jpg"|$filetype==".bmp"){
copy($_FILES['imagefile']['tmp_name'],"upload/".$_FILES['imagefile']['name'])
or die("Could not copy");
echo"<br>Upload Complete";
echo"<br>Name: ".$_FILES['imagefile']['name']."";
echo"<br>Size: ".$_FILES['imagefile']['size']." bytes";
echo"<br>URL: " . $filelocation . "upload/" . $_FILES['imagefile']['name'];
echo"<br>Type: ".$_FILES['imagefile']['type']."<br>";
}else{
echo"<br>Upload Error";
echo"<br>Could Not Copy, Wrong Filetype (".$_FILES['imagefile']['name'].")<br>";
}
} else {
echo 'A image with the same name already exists. Feel free to rename your file then reupload.';
}
}
Honestly I didn't write the code, but I couldn't have done any better, if I give them direct access to the file like this script does.
As a start you should not use copy() but rather
http://www.php.net/manual/en/function.m ... d-file.php
Posted: Tue Sep 11, 2007 4:47 am
by mrkite
you're using bitwise-or | instead of logical-or ||
This is how they broke your uploader.
Code: Select all
if ($filetype=="jpeg"|$filetype==".gif"|$filetype==".png"|$filetype==".jpg"|$filetype==".bmp")
bitwise-or has a higher precedence than equality. So basically the above is equivalent to:
Code: Select all
if ($filetype==("jpeg"|$filetype)==(".gif"|$filetype)==(".png"|$filetype)==(".jpg"|$filetype)==".bmp")
Change those back to || and try uploading a regular php file
Whenever i have people upload images, I never care what the original filename was.. I use imagemagick to convert their tmp_name into a jpeg before it moves into webspace.
edit: deleted extraneous examples which weren't true for php5.