是否可以执行扩展名为 file.php.jpg 的 PHP? [英] Is it possible to execute PHP with extension file.php.jpg?
问题描述
站点合法文件 image_upload.php 用于上传文件 89471928047.php.jpg 这是一种简单的文件上传形式,将 tmp 文件复制到同一图像文件夹.他们如何设法执行它并通过它上传其他文件.有人知道这怎么可能吗?PHP 版本是 5.1.6 恰好在一个小时之前或之后与主机一起更新到 5.3.8 ......什么,巧合?
Site legit file image_upload.php was used to upload file 89471928047.php.jpg Which was simple file upload form that copy tmp file to same images folder.
How they managed to execute it and upload other files trough it. Someone know how this is possible?
PHP version was 5.1.6 that being updated exactly hour ago or after by schedule with host to 5.3.8... what a, coincidence?
推荐答案
检查您的 .htaccess 文件
使用 AddType在您的 .htaccess 文件中,您可以添加许多其他可以运行 PHP 的扩展.这通常是 .html 扩展可以在其自身内部使用 PHP 的同时使用的方式.所以,是的,这是可能的:
Check your .htaccess file
Using AddType in your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .html extensions can be used while still using PHP within themselves. So, yes, it's possible:
AddType application/x-httpd-php .jpg
如果你愿意,你可以测试这个.
You can test this if you like.
- 创建一个包含两个文件的目录:.htaccess 和 test.php.jpg
- 将.htaccess的内容设置为
AddType application-x-httpd-php .jpg - 设置test.php.jpg的内容为
<?php echo 'foo';?> - 通过localhost访问test.php.jpg
如果一切按计划进行,foo"将输出到您的屏幕.如果您愿意,您可以扩展它以移动 /tmp 文件.
If all goes as planned, "foo" will be output to your screen. You could expand upon this to move /tmp files around if you like.
绝对是你想要非常小心的东西.
Definitely something you want to be very careful with.
另一种方法是通过调用 require() 或 include()(或任何 _once()> 方法),黑客可以在其中加载他以无辜图像为幌子上传的 badfile.php.jpg 文件:
Another way this could have been done is through a call to require() or include() (or any of the _once() methods) where by the hacker was able to load in his badfile.php.jpg file that had been uploaded under the guise of an innocent image:
<?php
include $_GET["file"];
?>
在上述情况下(简化示例),黑客可以传入他的 .php.jpg 文件的路径,并将其内容加载并作为 PHP 代码进行处理.
In the above case (simplified example), the hacker could pass in a path to his .php.jpg file and have its contents loaded in and processed as PHP code.
Require、Include 及其相关方法并不是处理外部脚本的唯一方法——不幸的是,您也可以使用 eval().不过,我希望你不会发生这种情况.如果您的服务器上确实有任何脚本使用任何一个文件函数来读取另一个脚本的内容,然后 eval() 将该内容评估为 PHP,这也可以提供您网站上的安全漏洞.
Require, Include, and their related methods aren't the only ways you can process external scripts - unfortunately you can use eval() as well. I would hope that you have none of this going on though. If you did have any scripts on your server that were using any one of the file functions to read the contents of another script, and then eval() to evaluate that content as PHP, this could also provide a gaping security hole in your website.
这篇关于是否可以执行扩展名为 file.php.jpg 的 PHP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
