Skip to main content

PHP file upload security

Image
By

https://www.acunetix.com/websitesecurity/upload-forms-threat/

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload


Some way to create vulnerability files like image with PHP code in comments, descriptions ...

ImageTragick!


https://help.shopify.com/en/manual/orders/fraud-analysis

Beating getimagesize()

The getimagesize() function will check if it is an image and will check “mime” to verify image type.

Insecure Configuration :

 <FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)">  SetHandler application/x-httpd-php  </FileMatch>

Secure Configuration :

 <FilesMatch ".+\.ph(p([3457s]|\-s)?|t|tml)$">  SetHandler application/x-httpd-php  </FileMatch>

If the service is up an running with the Insecure Configuration, any one can beat the getimagesize function by writing comments in GIF file.

For that an end user need to install an utility in Kali/Ubuntu OS named ‘gifsicle’

 For Kali Linux : apt-get install gifsicle  For Ubuntu : sudo apt-get install gifsicle

Once installed, the below commands will help writing the commands in gif file.

 gifsicle < mygif.gif -- comment "

<?php echo ‘Current PHP version: ‘ . phpversion(); ?>


” > output.php.gif

...


Wow, my excitement for Kali, Backtrack Linux surface back !

https://stackoverflow.com/questions/8063057/convert-this-string-to-datetime

$date = date_create_from_format('d/m/Y:H:i:s', $s);

$date->getTimestamp();


curl --location --request POST 'yoursite.local/api/uploadArrivalFile' \

--header 'username: api_user' \

--header 'password: api_pass#1234' \

--header 'Cookie: ci_session=9f12ea18b74bcb7a5c412492ffbc5809cb7d4ac8' \

--form 'file_upload=@"/C:/Users/kkk/Documents/stg-price-256-err.PNG"'

=> By using Postman, I can see what parameter have to pass in curl in order to send file.

=> It is form parameter.


'file_upload' => curl_file_create($filePath)



Comments

Post a Comment

Popular posts from this blog

AWS Elasticache Memcached connection

By
https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/accessing-elasticache.html#access-from-outside-aws http://hourlyapps.blogspot.com/2010/06/examples-of-memcached-commands.html Access memcached https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/GettingStarted.AuthorizeAccess.html Zip include hidden file https://stackoverflow.com/questions/12493206/zip-including-hidden-files phpmemcachedadmin ~ phpMyAdmin or phpPgAdmin ... telnet mycachecluster.eaogs8.0001.usw2.cache.amazonaws.com 11211 stats items stats cachedump 27 100 https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/VPCs.EC.html https://lzone.de/cheat-sheet/memcached VPC ID Security Group ID (sg-...) Cluster: The identifier for the cluster memcached1 Creation Time: The time (UTC) when the cluster was created January 9, 2019 at 11:47:16 AM UTC+7 Configuration Endpoint: The configuration endpoint of the cluster memcached1.ahgofe.cfg.usw1.cache.amazonaws.com:11211 St...
44 comments
Read more

Simulate Fail2ban on Apache request spam with mod_evasive limitipconn ...

By
https://en.wikipedia.org/wiki/Manchu_alphabet https://en.wikipedia.org/wiki/Sweet_potato https://en.wikipedia.org/wiki/New_World_crops https://www.mdpi.com/journal/energies http://www.cired.net/publications/cired2007/pdfs/CIRED2007_0342_paper.pdf https://www.davidpashley.com/articles/writing-robust-shell-scripts/ trap command https://en.wikipedia.org/wiki/Race_condition https://unix.stackexchange.com/questions/172541/why-does-exit-1-not-exit-the-script exit 1 not work it seem { } brace bound fixed it. cat access_log | cut -d ' ' -f 1 > ip1 sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 | uniq -c | sort -n -r -s https://unix.stackexchange.com/questions/246104/unix-count-unique-ip-addresses-sort-them-by-most-frequent-and-also-sort-them https://stackoverflow.com/questions/20164696/how-to-block-spam-and-spam-bots-for-good-with-htaccess  Code: ------------------------------------------------------------------- #Block Spam Bots and Spam on your website #Block proxies...
5 comments
Read more

Rocket.Chat DB schema

By
_raix_push_notifications avatars.chunks avatars.files instances meteor_accounts_loginServiceConfiguration meteor_oauth_pendingCredentials meteor_oauth_pendingRequestTokens migrations rocketchat__trash rocketchat_cron_history rocketchat_custom_emoji rocketchat_custom_sounds rocketchat_import rocketchat_integration_history rocketchat_integrations rocketchat_livechat_custom_field rocketchat_livechat_department rocketchat_livechat_department_agents rocketchat_livechat_external_message rocketchat_livechat_inquiry rocketchat_livechat_office_hour rocketchat_livechat_page_visited rocketchat_livechat_trigger rocketchat_message rocketchat_oauth_apps rocketchat_oembed_cache rocketchat_permissions rocketchat_raw_imports rocketchat_reports rocketchat_roles rocketchat_room rocketchat_settings rocketchat_smarsh_history rocketchat_statistics rocketchat_subscription rocketchat_uploads system.indexes users usersSessions https://rocket.chat/docs/developer-guides/sc...
24 comments
Read more