Site legit file image_upload.php was used to upload file 89471928047.php.jpg Which was simple file upload form that copy tmp file to same images folder. How they managed to execute it and upload other files trough it. Someone know how this is possible? PHP version was 5.1.6 that being updated exactly hour ago or after by schedule with host to 5.3.8... what a, coincidence?

Check your .htaccess file

Using AddType in your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .html extensions can be used while still using PHP within themselves. So, yes, it's possible:

AddType application/x-httpd-php .jpg

You can test this if you like.

1. Create a directory with two files: .htaccess and test.php.jpg

2. Set content of .htaccess to AddType application-x-httpd-php .jpg

3. Set content of test.php.jpg to <?php echo 'foo'; ?>

4. Access test.php.jpg through localhost

If all goes as planned, "foo" will be output to your screen. You could expand upon this to move /tmp files around if you like.

Definitely something you want to be very careful with.

Check exposed calls to include/require

Another way this could have been done is through a call to require() or include() (or any of the _once() methods) where by the hacker was able to load in his badfile.php.jpg file that had been uploaded under the guise of an innocent image:

<?php

  include $_GET["file"];

?>

In the above case (simplified example), the hacker could pass in a path to his .php.jpg file and have its contents loaded in and processed as PHP code.

Other (frightening) ideas

Require, Include, and their related methods aren't the only ways you can process external scripts - unfortunately you can use eval() as well. I would hope that you have none of this going on though. If you did have any scripts on your server that were using any one of the file functions to read the contents of another script, and then eval() to evaluate that content as PHP, this could also provide a gaping security hole in your website.

站点合法文件image_upload.php用于上传文件89471928047.php.jpg，这是将tmp文件复制到同一图像文件夹的简单文件上传形式. 他们如何设法执行它并通过它上传其他文件.有人知道这怎么可能吗? PHP version was 5.1.6正好在一个小时之前或之后按计划与主机进行了更新，5.3.8 ...这是什么巧合?

检查您的.htaccess文件

在.htaccess文件中使用 AddType ，您可以添加许多其他可以运行PHP的扩展.通常，这是在仍在内部使用PHP的同时可以使用.html扩展的方式.所以，是的，有可能:

AddType application/x-httpd-php .jpg

如果愿意，您可以测试一下.

1. 创建一个包含两个文件的目录:.htaccess和test.php.jpg

2. 将.htaccess的内容设置为AddType application-x-httpd-php .jpg

3. 将test.php.jpg的内容设置为<?php echo 'foo'; ?>

4. 通过本地主机访问test.php.jpg

如果一切按计划进行，"foo"将输出到您的屏幕.如果愿意，可以扩展此范围以移动/tmp个文件.

绝对要特别小心.

检查公开的呼叫是否包含/要求

另一种可能的方法是通过调用require()或include()(或任何_once()方法)，黑客可以在其中加载已上传的badfile.php.jpg文件以无辜的形象为掩饰:

<?php

  include $_GET["file"];

?>

在上述情况下(简化示例)，黑客可以传递到其.php.jpg文件的路径，并将其内容加载并作为PHP代码进行处理.

其他(令人恐惧的)想法

Require，Include及其相关方法不是处理外部脚本的唯一方法-不幸的是，您也可以使用eval().我希望您没有任何这种情况.如果服务器上确实有任何脚本正在使用文件功能中的任何一个来读取另一个脚本的内容，然后使用eval()将该内容评估为PHP，则这也可能在您的网站中提供巨大的安全漏洞.

本文地址：IT屋 » 是否可以使用扩展名file.php.jpg执行PHP?