<?php
$targetDirectory = "upload/";
$targetFile = $targetDirectory . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
if (file_exists($targetFile)) {
echo "Sorry, file already exists.";
$uploadOk = 0;
}
if($_FILES["fileToUpload"]["size"] > 2000000) {
echo "Sorry, your file is too large.";
$uploadOk = 0;
}
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
} else {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
echo "The file " . basename($_FILES["fileToUpload"]["name"]) . " has been uploaded.";
} else {
echo "Sorry, there was an error uploading your file.";
}
}
?>
수정 전 upload.php
업로드 할 때 파일 검사를 하지 않아 웹쉘을 업로드 한 후, 웹쉘에 접근하면 파일 업로드 취약점이 터진다.
<?php
$targetDirectory = "upload/";
$targetFile = $targetDirectory . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$filter = ".php";
if(str_contains(basename($_FILES["fileToUpload"]["name"]), $filter)) {
echo "Dont Upload This File!<br>";
$uploadOk = 0;
}
if (file_exists($targetFile)) {
echo "Sorry, file already exists.";
$uploadOk = 0;
}
if($_FILES["fileToUpload"]["size"] > 2000000) {
echo "Sorry, your file is too large.";
$uploadOk = 0;
}
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
}
else {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
echo "The file " . basename($_FILES["fileToUpload"]["name"]) . " has been uploaded.";
} else {
echo "Sorry, there was an error uploading your file.";
}
}
?>
수정 후 upload.php
.php라는 문자를 필터링하여 php 웹쉘을 업로드하는것을 방지할 수 있다.
'Layer7 > WriteUp' 카테고리의 다른 글
[Dreamhack]simple_sqli WriteUp (1) | 2024.06.02 |
---|---|
[Webhacking.kr]Old-43 파일 업로드 취약점 (0) | 2024.05.29 |
[Dreamhack]file-download-1 (0) | 2024.05.29 |
PHP 기본 문법 정리 (0) | 2024.05.26 |
[DREAMHACK]XSS - 2 WriteUp (0) | 2024.05.20 |