是否可以使用扩展名file.php.jpg执行PHP? [英] Is it possible to execute PHP with extension file.php.jpg?

问题描述

站点合法文件image_upload.php用于上传文件89471928047.php.jpg，这是将tmp文件复制到同一图像文件夹的简单文件上传形式. 他们如何设法执行它并通过它上传其他文件.有人知道这怎么可能吗? PHP version was 5.1.6正好在一个小时之前或之后按计划与主机进行了更新，5.3.8 ...这是什么巧合?

Site legit file image_upload.php was used to upload file 89471928047.php.jpg Which was simple file upload form that copy tmp file to same images folder. How they managed to execute it and upload other files trough it. Someone know how this is possible? PHP version was 5.1.6 that being updated exactly hour ago or after by schedule with host to 5.3.8... what a, coincidence?

推荐答案

检查您的.htaccess文件

在.htaccess文件中使用 AddType ，您可以添加许多其他可以运行PHP的扩展.通常，这是在仍在内部使用PHP的同时可以使用.html扩展的方式.所以，是的，有可能:

Check your .htaccess file

Using AddType in your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .html extensions can be used while still using PHP within themselves. So, yes, it's possible:

AddType application/x-httpd-php .jpg

如果愿意，您可以测试一下.

You can test this if you like.

1. 创建一个包含两个文件的目录:.htaccess和test.php.jpg
2. 将.htaccess的内容设置为AddType application-x-httpd-php .jpg
3. 将test.php.jpg的内容设置为<?php echo 'foo'; ?>
4. 通过本地主机访问test.php.jpg

1. Create a directory with two files: .htaccess and test.php.jpg
2. Set content of .htaccess to AddType application-x-httpd-php .jpg
3. Set content of test.php.jpg to <?php echo 'foo'; ?>
4. Access test.php.jpg through localhost

如果一切按计划进行，"foo"将输出到您的屏幕.如果愿意，可以扩展此范围以移动/tmp个文件.

If all goes as planned, "foo" will be output to your screen. You could expand upon this to move /tmp files around if you like.

绝对要特别小心.

另一种可能的方法是通过调用require()或include()(或任何_once()方法)，黑客可以在其中加载已上传的badfile.php.jpg文件以无辜的形象为掩饰:

Another way this could have been done is through a call to require() or include() (or any of the _once() methods) where by the hacker was able to load in his badfile.php.jpg file that had been uploaded under the guise of an innocent image:

<?php

  include $_GET["file"];

?>

在上述情况下(简化示例)，黑客可以传递到其.php.jpg文件的路径，并将其内容加载并作为PHP代码进行处理.

In the above case (simplified example), the hacker could pass in a path to his .php.jpg file and have its contents loaded in and processed as PHP code.

Require，Include及其相关方法不是处理外部脚本的唯一方法-不幸的是，您也可以使用eval().我希望您没有任何这种情况.如果服务器上确实有任何脚本正在使用文件功能中的任何一个来读取另一个脚本的内容，然后使用eval()将该内容评估为PHP，则这也可能在您的网站中提供巨大的安全漏洞.

Require, Include, and their related methods aren't the only ways you can process external scripts - unfortunately you can use eval() as well. I would hope that you have none of this going on though. If you did have any scripts on your server that were using any one of the file functions to read the contents of another script, and then eval() to evaluate that content as PHP, this could also provide a gaping security hole in your website.

这篇关于是否可以使用扩展名file.php.jpg执行PHP?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！