Re encoding the image will not stop someone from uploading a shell. The only sure way to prevent it is to re-encode and scan the image for the presence of php tags.

重新编码图像不会阻止某人上传 shell。防止它发生的唯一可靠方法是重新编码和扫描图像是否存在 php 标签。

For an example of a PHP PNG shell that will survive re-encoding

一个PHP PNG shell的例子，它可以在重新编码后继续存在

You can encode web shells into a png image, if you make it right, it will be able to survive the re-encoding as well.

您可以将 web shell 编码为 png 图像，如果编码正确，它也能够在重新编码后幸存下来。

have a look at this

有一个看看这个

Yes it would need to be loaded, probably by a user-supplied variable in an include path, e.g.:

是的，它可能需要通过包含路径中的用户提供的变量加载，例如：

include('templates/' . $_GET['page']);

They could also have allowed the user to set the whole filename with a .php extension so all they'd need to do is load it in a browser.

他们还可以允许用户使用 .php 扩展名设置整个文件名，因此他们需要做的就是在浏览器中加载它。

Check that getimagesize()doesn't return false, use a random filename, and enforce the file extension. If at all possible don't store the uploaded image in a web-accessible location as it could also contain JS and therefore be an XSS vector.

检查getimagesize()是否不返回 false，使用随机文件名，并强制使用文件扩展名。如果可能的话，不要将上传的图像存储在网络可访问的位置，因为它也可能包含 JS，因此是 XSS 向量。

Re-encoding the image can also let you strip nasty metadata and junk at the end which is permitted by several formats (e.g. JPEG)

重新编码图像还可以让您在末尾去除讨厌的元数据和垃圾，这是几种格式（例如 JPEG）允许的

There are some methods to protect yourself from such tricks. Check them out here

有一些方法可以保护自己免受此类伎俩的侵害。在这里查看它们

Also read thisarticle which explains the attack and ways to tackle it.

另请阅读这篇文章，其中解释了攻击和解决方法。

The main point stressed in these is the use of basenamefunction of php to defer such attacks.

这里强调的重点是利用php的basename函数来延缓此类攻击。

I know there's a way (or was) a way to save a php file as a .gifand have it run the code. In an exploit I saw on the download page the mime type was set as a GIF and the the image was loaded with something to the effect of: require('myimage.gif');When myimage.gifwas actually a PHP file renamed as .gif, including the file would execute the php payload, otherwise the file was just a normal gif. I saw this exploit for an upload script, the hacker also hex edited myimage.gifso that the bytes 47 49 46 38 39preceded the rest of the file. Those bytes are a GIF header and would trick PHP into thinking the file was a GIF allowing the PHP file to be uploaded bypassing the 'advance' file type checking. This could easily be fixed by building better file checking that made sure the entire file was legit. The easiest way I can think of would be to try to load the image with GD and see if it has an error. I don't think GD would execute the PHP payload but I'm not sure, you would have to test. I assume nearly the same exploit was done or could be done for a tiff or any file type.

我知道有一种方法（或曾经是）将 php 文件另存为 a.gif并让它运行代码的方法。在利用我看到MIME类型设置为GIF的下载页面上，并且装有东西的效果的图像：require('myimage.gif');当myimage.gif实际上是一个PHP文件改名.gif，包括文件将执行php的有效载荷，否则文件只是一个普通的gif。我看到了这个上传脚本的漏洞利用，黑客还进行了十六进制编辑，myimage.gif以便字节47 49 46 38 39在文件的其余部分之前。这些字节是一个 GIF 标头，会诱使 PHP 认为该文件是一个 GIF，从而允许绕过“高级”文件类型检查来上传 PHP 文件。这可以通过构建更好的文件检查来轻松解决，以确保整个文件都是合法的。我能想到的最简单的方法是尝试用 GD 加载图像，看看它是否有错误。我认为 GD 不会执行 PHP 负载，但我不确定，您必须进行测试。我假设对 tiff 或任何文件类型已经完成或可以完成几乎相同的利用。

In order to make sure your script is not exploited I would take these steps.

为了确保您的脚本不被利用，我将采取这些步骤。

1) Set a few file types that you can do Array('.png', '.jpg', '.txt', 'etc')if its not in the array DO NOT allow it. Even if you disallow .php, there's still .php3, .php5etc that work on some servers.

1) 设置一些文件类型，Array('.png', '.jpg', '.txt', 'etc')如果它不在数组中，则您可以执行不允许它。即使你不允许.php，.php3, .php5在某些服务器上仍然有其他工作。

2) Gaard against myimage.php.gifby saving the uploaded file to a md5 (or a rand name) of the file name (with the exclusion of the file type) so myimage.php.gifwould become ef0ca703846cdb7a0131ac2889304a27.gif

2)myimage.php.gif通过将上传的文件保存到文件名的 md5（或 rand 名称）（不包括文件类型）来防止，因此myimage.php.gif将成为ef0ca703846cdb7a0131ac2889304a27.gif

3) Check integrity of file, make sure both the header and the rest of the file is legit.

3) 检查文件的完整性，确保文件头和文件的其余部分都是合法的。

4) Do not use require('myimage.gif');instead print it's content

4）不要使用require('myimage.gif');代替打印它的内容

A brilliant solution just came to my mind.
If you store your images on the separate server/domain/CDN/whatever has no direct access to your code, you have your mission accomplished!

我想到了一个绝妙的解决方案。
如果您将图像存储在单独的服务器/域/CDN/任何无法直接访问您的代码的地方，那么您的任务就完成了！

Yes it can. Make a tif file (php-code.tif) with the following code

是的，它可以。使用以下代码制作一个 tif 文件（php-code.tif）

<?php 

  die("TIF file malicious code works");

Then in another script make include 'php-code.tif';

然后在另一个脚本中 make include 'php-code.tif';

See for yourself what happends...

自己看看发生了什么......

Yes include this would mean the attacker has access to your server OR you uploaded the file yourself as a theme or plugin for a cms... oups!

是的，包括这意味着攻击者可以访问您的服务器，或者您自己上传了文件作为 cms 的主题或插件......哎呀！

Now the 2nd part for protecting from such attacks, well I could not find yet a reliable solution, which would work with most CMSs and not involve denying directory listings. Still looking...

现在是防止此类攻击的第二部分，我还没有找到一个可靠的解决方案，它适用于大多数 CMS，并且不涉及拒绝目录列表。还在找...

If you only use the GD functions for manipulating the images you should be ok. To be on the safe side, you may convert all incoming images to a specific format that you may consider "safe" ( i like PNG, or JPG, depending if the output intent is display-in-browser or some kind of hi-quality-print). Also, never use the imoage name supplied by the user on your own filesystem. This way it wont be able to put weird data in the filename. To be even safer, you may use the command-line imagemagik conversion utility. This is both faster, and safer.

如果你只使用 GD 函数来操作图像，你应该没问题。为了安全起见，您可以将所有传入的图像转换为您认为“安全”的特定格式（我喜欢 PNG 或 JPG，具体取决于输出意图是在浏览器中显示还是某种高质量-打印）。此外，切勿在您自己的文件系统上使用用户提供的 imoage 名称。这样它就无法在文件名中放入奇怪的数据。为了更安全，您可以使用命令行 imagemagik 转换实用程序。这既快又安全。

I don't know about this particular exploit, but usually exploits like this make use of bugs in the software that loads the image. If PHP, or more exactly, the library that loads the TIFF image, will allocate an incorrect amount of memory to hold the image, it might try to load the image in less memory space than is reserved. This is called a buffer overrun.

我不知道这个特定的漏洞，但通常像这样的漏洞利用加载图像的软件中的错误。如果 PHP，或者更准确地说，加载 TIFF 图像的库将分配不正确的内存量来保存图像，它可能会尝试在比保留的内存空间更少的内存空间中加载图像。这称为缓冲区溢出。

That also means that a part of the image is loaded in a piece of memory that is not allocated for the image. This part might get executed because it could have actually been reserved for code.

这也意味着图像的一部分被加载到一块没有为图像分配的内存中。这部分可能会被执行，因为它实际上可能是为代码保留的。

These kinds of problems can arise when there is a bug in the image library. I think a bug like this existed for GIFs in IE 5. The amount of memory that was allocated wasn't determined by the actual file size, but by the file size information in the header of the file. This allowed people to make corrupt gif files, ending with a piece of code that was written in the code segment of the process and could be executed.

当图像库中存在错误时，可能会出现此类问题。我认为 IE 5 中的 GIF 存在这样的错误。分配的内存量不是由实际文件大小决定的，而是由文件头中的文件大小信息决定的。这允许人们制作损坏的 gif 文件，以一段编写在进程代码段中并且可以执行的代码结束。

Unless there's a serious bug in PHP's image handling I don't see how PHP code in an image could ever be interpreted by simply working with it or displaying it.

除非 PHP 的图像处理中存在严重错误，否则我看不出如何通过简单地使用或显示图像来解释图像中的 PHP 代码。

However there are ways to use images to do Cross-Site-Scripting attacks on users using Internet Explorer

但是，有一些方法可以使用图像对使用 Internet Explorer 的用户进行跨站点脚本攻击

You also need to be careful that users can't upload images that would be used as PHP input. Eg. be being include()d for some reason or by being uploaded with a .php extension.

您还需要注意用户不能上传将用作 PHP 输入的图像。例如。出于某种原因被 include()d 或通过使用 .php 扩展名上传。

Apache Multiviews might even lead to images named like image.php.jpg be executed under some circumstances (though I'm not sure about this one).

Apache Multiviews 甚至可能导致在某些情况下执行名为 image.php.jpg 的图像（尽管我不确定这一点）。