I make at present some tests on pieces of codes of an old project. I found something who could look like a exploit, but I do not manage to exploit it completely. Here is the code :
if (isset($_POST['update']))
{
if($_FILES['fichier']['name'])
{
$infos_img = getimagesize($_FILES['fichier']['tmp_name']);
if($infos_img != false && (substr($nom_file,-3) == "gif")) # ???
{
if(move_uploaded_file($_FILES['fichier']['tmp_name'],$target.$_FILES['fichier']['name']))
{
chmod($target.$_FILES['fichier']['name'], 0644);
}
else
echo "<div class = \"errormsg\">Error</b><br><br><b>".$_FILES['fichier']['error']."</div>";
}
else
echo "<div class = \"errormsg\">Not image !</div>";
}
}
The objective is to manage to send on the server a executable file. As you see it on this code, the extension is controlled by substr() and image by getimagesize().
As regards getimagesize(), it would be enough to edit real GIF in a hexadecimal editor to inject into it then of the code PHP. But marigold comes at the time of naming the file...
The basic idea is of use a double extension, but I do not how see executing this file afterward, especially if this one is interpreted as GIF. Maybe that I am wrong totally.
What do you advise me?
Thank you in advance for your help,
Aucun commentaire:
Enregistrer un commentaire