Обход расширения файла при UPLOAD

07.07.2013, 19:38
jangle
Познающий
Регистрация: 19.11.2006
Сообщений: 32
С нами: 10249722
Репутация: 5
Доброго времени суток!

Помогите пожалуйста обойти проверку расширения файла при загрузке. Загружать файлы с любым содержанием возможно, но вот обойти расширение файла не могу. Задача загрузить файл с последующим выполнением кода. Векторы: 1 - обойти расширение файла, и загрузить что то типа 1.jpg.php, 2 - загрузить графический файл таким обзором что бы при обращении в последствии к нему выполнялся код, что то типа 1.php%00.jpg. Помогите с вариантами. Код формы загрузки:
PHP код:

		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]case[/COLOR][COLOR="#DD0000"]'uploadFiles'[/COLOR][COLOR="#007700"]:

[/COLOR][COLOR="#0000BB"]$canOverwrite[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#DD0000"]"1"[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'canOverwrite'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$doSimulate[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#DD0000"]"1"[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'doSimulate'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$newDir[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'d'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'d'[/COLOR][COLOR="#007700"]]) :[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$currDir[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$newDir[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$target[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]AdminFileManager[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]buildPath[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$newDir[/COLOR][COLOR="#007700"]);

        if ([/COLOR][COLOR="#0000BB"]$target[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$target[/COLOR][COLOR="#007700"]) -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]] !=[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"])

[/COLOR][COLOR="#0000BB"]$target[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$target[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$report[/COLOR][COLOR="#007700"]=array();

[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Opzioni attive:
Permetti sovrascrizione file: "[/COLOR][COLOR="#007700"].( ([/COLOR][COLOR="#0000BB"]$canOverwrite[/COLOR][COLOR="#007700"])?[/COLOR][COLOR="#DD0000"]"SI"[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"NO"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"
"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Simulazione attiva: "[/COLOR][COLOR="#007700"].( ([/COLOR][COLOR="#0000BB"]$doSimulate[/COLOR][COLOR="#007700"])?[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"SI"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#DD0000"]"NO"[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"
"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$report[/COLOR][COLOR="#007700"][]=[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]// FIXME unificare gestione array

[/COLOR][COLOR="#0000BB"]$arrayext[/COLOR][COLOR="#007700"]=array ([/COLOR][COLOR="#DD0000"]'jpg'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'jpeg'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'gif'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'txt'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'png'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'JPG'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'PDF'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'pdf'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$array_lang_code[/COLOR][COLOR="#007700"]=array ([/COLOR][COLOR="#DD0000"]'_IT'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_ES'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_PT'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_RU'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_FR'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_EN'[/COLOR][COLOR="#007700"]);

        foreach ([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uplfile'[/COLOR][COLOR="#007700"]] [[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] as[/COLOR][COLOR="#0000BB"]$filename[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"-[/COLOR][COLOR="#0000BB"]$filename[/COLOR][COLOR="#DD0000"]: "[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$fileInfo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]pathinfo[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$filename[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$ext[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fileInfo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'extension'[/COLOR][COLOR="#007700"]] ) >[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) ?[/COLOR][COLOR="#0000BB"]$fileInfo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'extension'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

            

[/COLOR][COLOR="#FF8000"]// controllo 0) - estesione file

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]in_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ext[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]$arrayext[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#FF8000"]// controllo sul codice lingua

[/COLOR][COLOR="#0000BB"]$fname[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fileInfo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"]] ) >[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) ?[/COLOR][COLOR="#0000BB"]$fileInfo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$lang_code[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fname[/COLOR][COLOR="#007700"], -[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]);

                if (![/COLOR][COLOR="#0000BB"]in_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$lang_code[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$array_lang_code[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$temp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$target[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uplfile'[/COLOR][COLOR="#007700"]] [[/COLOR][COLOR="#DD0000"]'tmp_name'[/COLOR][COLOR="#007700"]] [[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#FF8000"]// controlli

                    // 1) file proveniente da un http

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]is_uploaded_file[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#FF8000"]// 2) c'è stato qualche errore nell'upload

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uplfile'[/COLOR][COLOR="#007700"]] [[/COLOR][COLOR="#DD0000"]'error'[/COLOR][COLOR="#007700"]] [[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#0000BB"]UPLOAD_ERR_OK[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$temp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$temp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]basename[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$filename[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$overWrite[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$doMove[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];

                            if ([/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$temp[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$overWrite[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];

                                if ([/COLOR][COLOR="#0000BB"]$canOverwrite[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#FF8000"]// copia

[/COLOR][COLOR="#0000BB"]$doMove[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];

                                } else {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"ERR! FILE ESISTENTE!"[/COLOR][COLOR="#007700"];

                                }

                            } else {

[/COLOR][COLOR="#FF8000"]// copia

[/COLOR][COLOR="#0000BB"]$doMove[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];

                            }

                            if ([/COLOR][COLOR="#0000BB"]$doMove[/COLOR][COLOR="#007700"]) {

                                if ([/COLOR][COLOR="#0000BB"]$doSimulate[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#FF8000"]// simula risultato true

[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];

                                } else {

[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]move_uploaded_file[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$temp[/COLOR][COLOR="#007700"]);

                                }

                                if ([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]" OK! "[/COLOR][COLOR="#007700"]. (([/COLOR][COLOR="#0000BB"]$overWrite[/COLOR][COLOR="#007700"]) ?[/COLOR][COLOR="#DD0000"]" (sovrascritto!) "[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]);

                                } else {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ERR! ERRORE NEL COPIARE IL FILE DA[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"];

                                }

                            }

[/COLOR][COLOR="#0000BB"]$temp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];

                        } else {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ERR! - CODICE ERRORE "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uplfile'[/COLOR][COLOR="#007700"]] [[/COLOR][COLOR="#DD0000"]'error'[/COLOR][COLOR="#007700"]] [[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"];

                        }

                    } else {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ERR! - File non proveniente da protocollo HTTP."[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"];

                    }

                } else {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ERR! - File con codice lingua in maiuscolo!"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"];

                }

            } else {

[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$tagRed[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ERR! - Estensione del file non supportata `[/COLOR][COLOR="#0000BB"]$ext[/COLOR][COLOR="#DD0000"]` !"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$tagEnd[/COLOR][COLOR="#007700"];

            }

[/COLOR][COLOR="#0000BB"]$report[/COLOR][COLOR="#007700"][]=[/COLOR][COLOR="#0000BB"]$singleReport[/COLOR][COLOR="#007700"];

        

[/COLOR][COLOR="#0000BB"]$cod[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]base64_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]gzcompress[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]json_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$report[/COLOR][COLOR="#007700"]))) ;

[/COLOR][COLOR="#FF8000"]//var_dump ($cod,json_encode($report)); die ();

[/COLOR][COLOR="#007700"]}

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location:[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#DD0000"].php?d="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$currDir[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"&op=upload&res="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]urlencode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cod[/COLOR][COLOR="#007700"])  );

        exit ([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);

        break;

[/COLOR][/COLOR]
𝕏 Twitter Reddit Telegram Копировать ссылку