framework
framework copied to clipboard
top-think
Code logic error causes file upload getshell
Code logic error causes file upload getshell Verify version:Thinkphp5.1.41/Thinkphp5.0.24 Install:composer create-project topthink/think tp 5.xxx
test version:Thinkphp5.1.41 If the user directly uses the move method of thinkphp like this:Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5_1/354121
<?php
namespace app\index\controller;
class Upload
{
public function index(){
// 获取表单上传文件 例如上传了001.jpg
$file = request()->file('image');
// 移动到框架网站目录/uploads/ 目录下
$info = $file->move( './uploads');
if($info){
// 成功上传后 获取上传信息
// 输出 jpg
echo $info->getExtension();
// 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg
echo $info->getSaveName();
// 输出 42a79759f284b767dfcb2a0197904287.jpg
echo $info->getFilename();
}else{
// 上传失败获取错误信息
echo $file->getError();
}
}
}
Will cause the file with the suffix php to be uploaded directly
Because in thinkphp\library\think\File.php line 272 it is allowed
public function checkImg()
{
$extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION));
/* 对图像文件进行严格检测 */
if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && !in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) {
$this->error = 'illegal image files';
return false;
}
return true;
}
I think the problem is that true and false are written in reverse. And !in_array getImageType
The logic should be?
public function checkImg()
{
$extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION));
/* 对图像文件进行严格检测 */
if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) {
return true;
}
return false;
}
