PHP图片上传脚本黑客或登录旁路？

Question

我的一个网站，是在一个托管空间昨天遭到攻击，黑客通过电子邮件告诉我，一个产品图像被另一个图像文件改变。这是真的，因为他把他的签名放在旧的图像上(文件替换)。这个上传脚本中有安全漏洞吗？

​

    <?php ini_set("memory_limit", "200000000"); // for large images so that we do not get "Allowed memory exhausted"?>
<?php
include_once("configlogin.php");
include("funz.php");

// Check user logged in already:
checkLoggedIn("yes");	

// upload the file
if ((isset($_POST["submitted_form"])) && ($_POST["submitted_form"] == "image_upload_form")) {

$idimg=$_POST['idimg'];
	
	// file needs to be jpg,gif,bmp,x-png and 4 MB max
	if (($_FILES["image_upload_box"]["type"] == "image/jpeg") && ($_FILES["image_upload_box"]["size"] < 4000000))
	{
		
  
		// QUI SCELGO LA DIMENSIONE FINALE DELL'IMMAGINE AL RESIZE
		$max_upload_width = 800;
		$max_upload_height = 600;
		  
		// if user chosed properly then scale down the image according to user preferances
		if(isset($_REQUEST['max_width_box']) and $_REQUEST['max_width_box']!='' and $_REQUEST['max_width_box']<=$max_upload_width){
			$max_upload_width = $_REQUEST['max_width_box'];
		}    
		if(isset($_REQUEST['max_height_box']) and $_REQUEST['max_height_box']!='' and $_REQUEST['max_height_box']<=$max_upload_height){
			$max_upload_height = $_REQUEST['max_height_box'];
		}	

		
		// if uploaded image was JPG/JPEG
		if($_FILES["image_upload_box"]["type"] == "image/jpeg" || $_FILES["image_upload_box"]["type"] == "image/pjpeg"){	
			$image_source = imagecreatefromjpeg($_FILES["image_upload_box"]["tmp_name"]);
		}		
		// if uploaded image was GIF
		if($_FILES["image_upload_box"]["type"] == "image/gif"){	
			$image_source = imagecreatefromgif($_FILES["image_upload_box"]["tmp_name"]);
		}	
		// BMP doesn't seem to be supported so remove it form above image type test (reject bmps)	
		// if uploaded image was BMP
		if($_FILES["image_upload_box"]["type"] == "image/bmp"){	
			$image_source = imagecreatefromwbmp($_FILES["image_upload_box"]["tmp_name"]);
		}			
		// if uploaded image was PNG
		if($_FILES["image_upload_box"]["type"] == "image/x-png"){
			$image_source = imagecreatefrompng($_FILES["image_upload_box"]["tmp_name"]);
		}
		
		

		$remote_file = "../immaginiprodotti/".$_FILES["image_upload_box"]["name"];
		imagejpeg($image_source,$remote_file,100);
		chmod($remote_file,0644);
	
	

		// get width and height of original image
		list($image_width, $image_height) = getimagesize($remote_file);
	
		if($image_width>$max_upload_width || $image_height >$max_upload_height){
			$proportions = $image_width/$image_height;
			
			if($image_width>$image_height){
				$new_width = $max_upload_width;
				$new_height = round($max_upload_width/$proportions);
			}		
			else{
				$new_height = $max_upload_height;
				$new_width = round($max_upload_height*$proportions);
			}		
			
			
			$new_image = imagecreatetruecolor($new_width , $new_height);
			$image_source = imagecreatefromjpeg($remote_file);
			
			imagecopyresampled($new_image, $image_source, 0, 0, 0, 0, $new_width, $new_height, $image_width, $image_height);
			imagejpeg($new_image,$remote_file,100);
			
			imagedestroy($new_image);
		}
		
		imagedestroy($image_source);
		
		
		rename ($remote_file, "../immaginiprodotti/$idimg.jpg");
		
		header("Location: prodotti.php");
		exit;
	}
	else{
		header("Location: prodotti.php");
		exit;
	}
}
?>



    checkPass($login, $password) {

     $login= mysql_real_escape_string($login);
	 $password= mysql_real_escape_string($password);
	 
	 $login=addslashes($login);
	 $password=addslashes($password);
	
	global $link;
	
	$query="SELECT login, password FROM users WHERE login='$login' and password='$password'";
	$result=mysql_query($query, $link)
		or die("checkPass fatal error: ".mysql_error());
	

	// Check exactly one row is found:
	if(mysql_num_rows($result)==1 AND !preg_match("[a-z0-9]", $login)  AND !preg_match("[a-z0-9]", $password ) ) {
		$row=mysql_fetch_array($result);
		return $row;
	}
	//Bad Login:
	return false;
} // end func checkPass($login, $password) 

​

脚本的第二部分是登录控制函数(从包含的配置文件)也可以绕过这个checkPass()函数，通过second直接进入受保护的上传页面？

谢谢

Answer 1

您的代码非常不安全。您是直接，使用用户提供的文件名作为您的目标“写入此文件”的名称。对于用户来说，在其中指定一个完整的路径是很简单的，您的代码将很高兴地在您的服务器上任意位置乱涂他们的图像：

    $remote_file = "../immaginiprodotti/".$_FILES["image_upload_box"]["name"];
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    imagejpeg($image_source,$remote_file,100);

例如，假设有人伪造了一份上传文件，并做了相当于

 image_upload_box['name'] = '../../../../../../home/sites/example.com/imgs/site-logo.jpg';

您也容易受到sql注入攻击的攻击。

这一行使密码“安全”：

 $password= mysql_real_escape_string($password);

由于一些未知的原因，您可以用加号()对字符串进行双转义：

 $password=addslashes($password);

这会重新打开注入漏洞。addslashes()是完全没用的白痴垃圾。你应该从你的大脑中移除任何关于它存在的知识。它不知道unicode，并将允许注入攻击.

除此之外，mysql_*()函数已经过时/过时，您应该放弃所有这些代码，从mysqli (注意到i)或PDO从头开始，使用适当的准备语句和占位符。

您的preg_match()调用也是不正确的，使整个正则表达式毫无用处。您还尝试在完成加法后进行regex测试，这意味着像Miles O'Brien这样的正确名称将被拒绝，因为addlashes/real_string将将其转换为Miles O\\'Brien，并将被拒绝。