Skip to content

Code logic error causes file upload getshell #2772

Open
@uuusrc

Description

@uuusrc

Code logic error causes file upload getshell
Verify version:Thinkphp5.1.41/Thinkphp5.0.24
Install:composer create-project topthink/think tp 5.xxx

test version:Thinkphp5.1.41
If the user directly uses the move method of thinkphp
like this:Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5_1/354121

<?php
namespace app\index\controller;

class Upload 
{
    public function index(){
        // 获取表单上传文件 例如上传了001.jpg
        $file = request()->file('image');
        // 移动到框架网站目录/uploads/ 目录下
        $info = $file->move( './uploads');
        if($info){
            // 成功上传后 获取上传信息
            // 输出 jpg
            echo $info->getExtension();
            // 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg
            echo $info->getSaveName();
            // 输出 42a79759f284b767dfcb2a0197904287.jpg
            echo $info->getFilename(); 
        }else{
            // 上传失败获取错误信息
            echo $file->getError();
        }
    }

}

Will cause the file with the suffix php to be uploaded directly
Because in thinkphp\library\think\File.php line 272 it is allowed

public function checkImg()
    {
        $extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION));

        /* 对图像文件进行严格检测 */
        if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && !in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) {
            $this->error = 'illegal image files';
            return false;
        }

        return true;
    }

11231231

20221023143515

I think the problem is that true and false are written in reverse. And !in_array getImageType

The logic should be?

public function checkImg()
    {
        $extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION));

        /* 对图像文件进行严格检测 */
        if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) {
            return true;
        }

        return false;
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions