文件解析漏洞
目标环境
复现过程
upload.html
<!DOCTYPE html> <html> <head> <title>File Upload</title> </head> <body> <form action="upload.php" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="id"/> <br/> <input type="submit" name="submit" value="submit"/> </form> </body> </html>
upload.php
<?php move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]); echo "Stored in" . "upload/" . $_FILES["file"]["name"]; ?> <!DOCTYPE html> <html> <head> <title>Upload Complete</title> </head> <body> <h3>File upload succed...</h3> <ul> <li> Sent:<?php echo $_FILES["file"]["name"];?> </li> <li> Size:<?php echo $_FILES["file"]["size"];?> bytes </li> <li> TAYPE:<?PHP echo $_FILES["file"]["type"];?> </li> </ul> </body> </html>
然后在在网站目录下创建upload文件夹
防御方法
1. 将php.ini文件中的cgi.fix_pathinfo的值设置为0。这样php在解析1.php/1.jpg这样的目录时,只要1.jpg不存在就会显示404
2. 将/etc/php5/fpm/pool.d/www.conf中security.limit_ectensions后面的值设为.php