PHP¼ì²âÉÏ´«ÎļþµÄÀàÐÍ

תÔØ×Ô£ºhttp://hi.baidu.com/thinkinginlamp/blog/item/5da6905211f719050df3e356.html
×÷ÕߣºÀÏÍõ
×îÀõķ½·¨¾ÍÊÇͨ¹ý$_FILES[...]['type']À´¼ì²âÉÏ´«ÎļþµÄÀàÐÍ£¬ÒòΪֻÐè¼òµ¥ÐÞ¸ÄÎļþÀ©Õ¹Ãû¾Í¿ÉÒÔαÔìËü¡£
ÁíÒ»¸öÏà¶Ô°²È«µãµÄ·½·¨ÊÇͨ¹ýÎļþÍ·Á½¸ö×Ö½ÚµÄÄÚÈÝÀ´ÅжÏÉÏ´«ÎļþµÄÀàÐÍ£¬Àý×Ó´úÂëÈçÏ£º
01 $handle = fopen($_FILES[...]['tmp_name'], 'rb');
02 $content = fread($handle, 2);
03 fclose($handle);
04
05 $info = unpack('c2chars', $content);
06
07 if (empty($info['chars1']) || empty($info['chars2'])) {
08     exit('Error!');
09 }
10
11 if ($info['chars1'] < 0) {
12     $info['chars1'] += 256;
13 }
14 if ($info['chars2'] < 0) {
15     $info['chars2'] += 256;
16 }
17
18 $code = $info['chars1'] . $info['chars2'];
PHPÖеÄpack&unpackº¯ÊýºÜìÅ£¬ÓÐÐËȤµÄ¿ÉÒÔ¿´£ºHandling binary data in PHP with pack() and unpack()
×¢£ºÍøÉÏËÑË÷µÄ´ó¶àÊýÏà¹ØµÄ³ÌÐòûÓÐ×ö256µÄÏà¹Ø²Ù×÷£¬ÕâÊÇÎÒͨ¹ýÊÔÑéÊý¾Ý×Ô¼ºÒâÒùµÄTDD½á¹û£¬²»¿Ï¶¨ÊÇ·ñÒ»¶¨ÕýÈ·£¬¶ÁÕß×Ô¼ºÕå×á£
ͨ¹ýswitchÅжÏ$code±äÁ¿£¬¾Í¿ÉÒÔ¶ÔÓ¦µ½ÎļþÀàÐÍ£¬³£¼ûµÄͼƬÀàÐͽá¹û´óÖÂÈçÏ£º
GIF£º7173
JPG£º255216
PNG£º13780
µ±È»Ò²¿ÉÒÔÅжÏÆäËûµÄÎļþÀàÐÍ£¬×Ô¼º×ö×öÊÔÑé¾ÍÖªµÀÊýÖµ´óСÁË¡£µ«´Ë·½·¨Ò²²»ÊÇÒ»¶¨°²È«µÄ£¬ÒòΪǰÁ½¸ö×Ö½ÚµÄÄÚÈÝÒ²ÊÇ¿ÉÒÔαÔìµÄ£¬ËùÒÔ×îºÃ»¹ÒªÏÞÖÆÒ»ÏÂÎļþµÄÀ©Õ¹Ãû£¬ÒÔ·ÀÒâÍâµÄ½âÎö£¬±ÈÈç˵£¬Äã´´½¨Ò»¸öÃûΪfoobar.phpµÄÎļþ£¬ÄÚÈÝÈçÏ£º
GIF89
<?php eval(...); ?>
µ±ÄãʹÓÃÇ°Á½¸ö×Ö½ÚÈ¥¼ì²âÎļþÀàÐ͵Äʱºò£¬¾Í»áµÃ³öGIF£º7173µÄ½á¹û£¬¼´±ãʹÓÃshellϵÄfileÃüÁîÈ¥¼ì²â£¬Ò»Ñù»áÎóÈÏΪÊÇGIFͼƬ£º
# file foobar.php
foobar.php: GIF image data 16188 x 26736
ÓÉÓÚÀ©Õ¹ÃûÊÇ.php£¬ÄÇô´ËÎļþ¾Í±»phpÒýÇæ½âÎöÁË£¬Èç´ËÒ»À´¾Í¸øÁ˺ڿÍÒ»¸öweb shell£¬°²È«Ò²¾ÍÎÞ´Ó̸ÆðÁË¡£ËùÒÔ˵ÏÞÖÆÎļþÀ©Õ¹Ãû·Ç³£ÖØÒª£¬Çмǣ¡ÖÁÓÚÒѾ­ÈçºÎ·¢ÏÖÕâÀàαװ£¬×î¼òµ¥µÄ·½·¨ÊÇÔÚÓÃshellÃüÁî¹ýÂËÒ»±é£º
# strings foobar.php
| grep -i "<?php"
<?php eval(...); ?>
Èç¹ûÏë³¹µ×ÆÁ±Î´ËÀàΣÏÕ£¬¿ÉÒÔ¿¼ÂÇʹÓÃgd
£¬imagemagick
£¬graphicsmagick
µÈ¹¤¾ß°ÑÓû§ÉÏ´«µÄͼƬ½øÐбØÒªµÄ±à¼­ºóÔÙת´æ£¬ÕâÑù¾ÍÄÜĨȥ¿ÉÄܵÄǶÈë´úÂë¡