PHP Arbitrary File Upload Simple Patching

Saya akan membahas tentang cara simple mempatch PHP Arbitrary File Upload.

Kebanyakan website yang vuln diupload memiliki garis besar seperti ini:

Contoh simple upload.php file upload.

<span style="color: #0000ff;">&lt;?php $uploaddir = 'uploads/'; // Relative path under webroot $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } ?&gt;</span>

1 2 3 4 5 6 7 8 9

<span style="color: #0000ff;">&lt;?php $uploaddir = 'uploads/'; // Relative path under webroot $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } ?&gt;</span>

Contoh form yang dipake dalam file index untuk upload:

<span style="color: #0000ff;">&lt;form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata"&gt; Select the file to upload: &lt;input type="file" name="userfile"&gt; &lt;input type="submit" name="upload" value="upload"&gt; &lt;/form&gt;</span>

1 2 3 4

<span style="color: #0000ff;">&lt;form name="upload" action="upload.php" method="POST" ENCTYPE="multipart/formdata"&gt; Select the file to upload: &lt;input type="file" name="userfile"&gt; &lt;input type="submit" name="upload" value="upload"&gt; &lt;/form&gt;</span>

Disini tidak ada code yang memfilter upload filetype.
Jadi kita bisa langsung saja upload: shell.php

Patching yg bisa dilakukan adalah menambahkan filter filetype dalam script upload.php
Contohnya:

<span style="color: #0000ff;">&lt;?php if($_FILES['userfile']['type'] != "image/gif") { echo "Sorry, we only allow uploading GIF images"; exit; } $uploaddir = 'uploads/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } ?&gt;</span>

1 2 3 4 5 6 7 8 9 10 11 12 13

<span style="color: #0000ff;">&lt;?php if($_FILES['userfile']['type'] != "image/gif") { echo "Sorry, we only allow uploading GIF images"; exit; } $uploaddir = 'uploads/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } ?&gt;</span>

Untuk “images/gif” bisa diganti dengan “images/jpg” dll…

Kita liat backgound request uploadnya

<span style="color: #0000ff;">POST /upload.php HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: localhost User-Agent: libwww-perl/5.803 Content-Type: multipart/form-data; Content-Length: 156 Content-Disposition: form-data; name="userfile"; filename="shell.php" ... ... - HTTP/1.1 200 OK Date: Thu, 31 May 2007 13:54:01 GMT Server: Apache X-Powered-By: PHP/5.2.2-pl6-gentoo Connection: close Content-Type: text/html Sorry, we only allow uploading GIF images</span>

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

<span style="color: #0000ff;">POST /upload.php HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: localhost User-Agent: libwww-perl/5.803 Content-Type: multipart/form-data; Content-Length: 156 Content-Disposition: form-data; name="userfile"; filename="shell.php" ... ... - HTTP/1.1 200 OK Date: Thu, 31 May 2007 13:54:01 GMT Server: Apache X-Powered-By: PHP/5.2.2-pl6-gentoo Connection: close Content-Type: text/html Sorry, we only allow uploading GIF images</span>

Hehehe..
Happy Patching..