MIME type verification principle upload loopholes to bypass
Bypassing authentication server (MIME type detection)
What is MIME
MIME (Multipurpose Internet Mail Extensions) Multipurpose Internet Mail Extensions type. Is a way to set some type of file extension with an application to open when the extension of the file being accessed, the browser will automatically use the specified application to open. Some are used for clients to specify custom file names, as well as some media files Open.
应用在php中可以对很多文件的扩展名进行限制
MIME Composition
Each MIME type consists of two parts, the front of a large class of data, such as sound audio, image and other image, define specific types later.
Common MIME type (Universal)
超文本标记语言文本 .html text/html
xml文档 .xml text/xml
XHTML文档 .xhtml application/xhtml+xml
普通文本 .txt text/plain
RTF文本 .rtf application/rtf
PDF文档 .pdf application/pdf
Microsoft Word文件 .word application/msword
PNG图像 .png image/png
GIF图形 .gif image/gif
JPEG图形 .jpeg,.jpg image/jpeg
au声音文件 .au audio/basic
MIDI音乐文件 mid,.midi audio/midi,audio/x-midi
RealAudio音乐文件 .ra, .ram audio/x-pn-realaudio
MPEG文件 .mpg,.mpeg video/mpeg
AVI文件 .avi video/x-msvideo
GZIP文件 .gz application/x-gzip
TAR文件 .tar application/x-tar
任意的二进制数据 application/octet-stream
**这种漏洞一般在全局数组$_FILES这里**
通过使用 PHP 的全局数组 $_FILES,你可以从客户计算机向远程服务器上传文件。
第一个参数是表单的 input name,
第二个下标可以是 "name", "type", "size", "tmp_name" 或 "error"。
$_FILES["file"]["name"] - 被上传文件的名称
$_FILES["file"]["type"] - 被上传文件的类型
$_FILES["file"]["size"] - 被上传文件的大小,以字节计
$_FILES["file"]["tmp_name"] - 存储在服务器的文件的临时副本的名称
$_FILES["file"]["error"] - 由文件上传导致的错误代码
详细可参考:http://www.w3school.com.cn/php/php_file_upload.asp
Analysis code logic
Will first submit a request to get the front end, and then define an array (defined image upload specified types), and then some checks on uploaded files by upload_sick function.
The vulnerability exists because the analysis upload_sick function because $ _FILES ()
This global approach is through the browser http header to acquire the content-type, content-type front-end user can control. Easily bypassed.
Workaround
Upload a normal standard picture, a capture operation of its content-type. Visible normal upload pictures to meet the requirements of content-type data packet is image / png (Comparative eligible), the file is not eligible php return incorrect file type.
