Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
742 views
in Technique[技术] by (71.8m points)

security - Is it possible to execute PHP with extension file.php.jpg?

Site legit file image_upload.php was used to upload file 89471928047.php.jpg Which was simple file upload form that copy tmp file to same images folder. How they managed to execute it and upload other files trough it. Someone know how this is possible? PHP version was 5.1.6 that being updated exactly hour ago or after by schedule with host to 5.3.8... what a, coincidence?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Check your .htaccess file

Using AddType in your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .html extensions can be used while still using PHP within themselves. So, yes, it's possible:

AddType application/x-httpd-php .jpg

You can test this if you like.

  1. Create a directory with two files: .htaccess and test.php.jpg
  2. Set content of .htaccess to AddType application-x-httpd-php .jpg
  3. Set content of test.php.jpg to <?php echo 'foo'; ?>
  4. Access test.php.jpg through localhost

If all goes as planned, "foo" will be output to your screen. You could expand upon this to move /tmp files around if you like.

Definitely something you want to be very careful with.

Check exposed calls to include/require

Another way this could have been done is through a call to require() or include() (or any of the _once() methods) where by the hacker was able to load in his badfile.php.jpg file that had been uploaded under the guise of an innocent image:

<?php

  include $_GET["file"];

?>

In the above case (simplified example), the hacker could pass in a path to his .php.jpg file and have its contents loaded in and processed as PHP code.

Other (frightening) ideas

Require, Include, and their related methods aren't the only ways you can process external scripts - unfortunately you can use eval() as well. I would hope that you have none of this going on though. If you did have any scripts on your server that were using any one of the file functions to read the contents of another script, and then eval() to evaluate that content as PHP, this could also provide a gaping security hole in your website.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...