又码了一个周末的代码,这次在做一些关于文件上传的东西,(PHP UPLOAD)小有收获项目是一个BT种子列表,用户有权限上传自己的种子,然后配合BT TRACK服务器把种子的信息写出来.
开始觉得这玩意很简单,结果嘛惨不忍睹.用CodeIgniter的上传类来上传文件,一开始进展蛮顺利的,但发觉走到上传文件类型的时候就走不下去了,我明明添加了.torrent类型为可上传类型,结果无论我怎么传也传不上去,还提示我上传文件类型不对.汗森了,这可是货真价实的种子文件啊,难道CI只认可岛国的种子吗?
打开CI的上传类看代码,原来CI的UPLOAD是通过判断文件的来实现文件识别的.难怪,种子的MIME类型在一般浏览器上返回的都是二进制数据类型,看来只有自己动手改造一下了.
为了尽快完成项目,我直接从控制器(Controller)开始写代码.用$_FILE['file']['name']获取上传文件的文件名,然后用explode函数来获取后缀名,最后再调用CI的UPLOAD来上传文件.
- $config@H_404_17@[@H_404_17@'upload_path'@H_404_17@] = @H_404_17@'./uploads/'@H_404_17@; @H_404_17@@H_404_17@
- $config@H_404_17@[@H_404_17@'allowed_types'@H_404_17@] = @H_404_17@'*'@H_404_17@; @H_404_17@@H_404_17@
- $config@H_404_17@[@H_404_17@'max_size'@H_404_17@] = @H_404_17@'100'@H_404_17@; @H_404_17@@H_404_17@
- $this@H_404_17@->load->library(@H_404_17@'upload'@H_404_17@,@H_404_17@$config@H_404_17@); @H_404_17@@H_404_17@
- $this@H_404_17@->load->helper(@H_404_17@'security'@H_404_17@); @H_404_17@@H_404_17@
- $this@H_404_17@->load->helper(@H_404_17@'date'@H_404_17@); @H_404_17@@H_404_17@
- $this@H_404_17@->load->helper(@H_404_17@'url'@H_404_17@); @H_404_17@@H_404_17@
- $this@H_404_17@->load->model(@H_404_17@'bt_model'@H_404_17@,@H_404_17@''@H_404_17@,TRUE); @H_404_17@@H_404_17@
- $data@H_404_17@[@H_404_17@'source_url'@H_404_17@] = base_url().@H_404_17@'source'@H_404_17@; @H_404_17@@H_404_17@
- $data@H_404_17@[@H_404_17@'base_url'@H_404_17@] = base_url(); @H_404_17@@H_404_17@
- $file@H_404_17@ = @H_404_17@$_FILES@H_404_17@[@H_404_17@'upload_file'@H_404_17@][@H_404_17@'name'@H_404_17@]; @H_404_17@@H_404_17@
- $file_1@H_404_17@ = @H_404_17@explode@H_404_17@(@H_404_17@'.'@H_404_17@,@H_404_17@$file@H_404_17@); @H_404_17@@H_404_17@
- $file_2@H_404_17@ = @H_404_17@$file_1@H_404_17@[@H_404_17@count@H_404_17@(@H_404_17@$file_1@H_404_17@)-1]; @H_404_17@@H_404_17@
- if@H_404_17@(@H_404_17@$file_2@H_404_17@ <> @H_404_17@'torrent'@H_404_17@){ @H_404_17@@H_404_17@
- echo@H_404_17@ @H_404_17@'<script>alert("只能上传类型为torrent的种子文件");</script>'@H_404_17@; @H_404_17@@H_404_17@
- echo@H_404_17@ @H_404_17@'<script>window.location.href="'@H_404_17@.@H_404_17@$data@H_404_17@[@H_404_17@'base_url'@H_404_17@].@H_404_17@'index.PHP/index/post";</script>'@H_404_17@; @H_404_17@@H_404_17@
- return@H_404_17@; @H_404_17@@H_404_17@
- } @H_404_17@
- $data@H_404_17@[@H_404_17@'type'@H_404_17@] = xss_clean(@H_404_17@$this@H_404_17@->input->post(@H_404_17@'type'@H_404_17@)); @H_404_17@@H_404_17@
- $data@H_404_17@[@H_404_17@'name'@H_404_17@] = xss_clean(@H_404_17@$this@H_404_17@->input->post(@H_404_17@'name'@H_404_17@)); @H_404_17@@H_404_17@
- $data@H_404_17@[@H_404_17@'space'@H_404_17@] = xss_clean(@H_404_17@$this@H_404_17@->input->post(@H_404_17@'space'@H_404_17@)); @H_404_17@@H_404_17@
- $data@H_404_17@[@H_404_17@'username'@H_404_17@] = xss_clean(@H_404_17@$this@H_404_17@->input->post(@H_404_17@'username'@H_404_17@)); @H_404_17@@H_404_17@
- $data@H_404_17@[@H_404_17@'time'@H_404_17@] = mdate(@H_404_17@'%Y-%m-%d %G:%i'@H_404_17@,gmt_to_local(time(),@H_404_17@'UP8'@H_404_17@)); @H_404_17@@H_404_17@
- if@H_404_17@(@H_404_17@$data@H_404_17@[@H_404_17@'type'@H_404_17@] == @H_404_17@''@H_404_17@ || @H_404_17@$data@H_404_17@[@H_404_17@'name'@H_404_17@] == @H_404_17@''@H_404_17@ || @H_404_17@$data@H_404_17@[@H_404_17@'space'@H_404_17@] == @H_404_17@''@H_404_17@ || @H_404_17@$data@H_404_17@[@H_404_17@'username'@H_404_17@] == @H_404_17@''@H_404_17@){ @H_404_17@@H_404_17@
- echo@H_404_17@ @H_404_17@'<script>alert("信息填写不完整,请重新填写");</script>'@H_404_17@; @H_404_17@@H_404_17@
- echo@H_404_17@ @H_404_17@'<script>window.location.href="'@H_404_17@.@H_404_17@$data@H_404_17@[@H_404_17@'base_url'@H_404_17@].@H_404_17@'index.PHP/index/post";</script>'@H_404_17@; @H_404_17@@H_404_17@
- return@H_404_17@; @H_404_17@@H_404_17@
- } @H_404_17@
- $this@H_404_17@->upload->do_upload(@H_404_17@'upload_file'@H_404_17@); @H_404_17@@H_404_17@
- echo@H_404_17@ @H_404_17@$this@H_404_17@->upload->display_errors(); @H_404_17@@H_404_17@
- $file@H_404_17@ = @H_404_17@$this@H_404_17@->upload->data(); @H_404_17@@H_404_17@
- $data@H_404_17@[@H_404_17@'url'@H_404_17@] = @H_404_17@$data@H_404_17@[@H_404_17@'base_url'@H_404_17@].@H_404_17@'uploads/'@H_404_17@.@H_404_17@$file@H_404_17@[@H_404_17@'file_name'@H_404_17@]; @H_404_17@@H_404_17@
- $this@H_404_17@->bt_model->insert(@H_404_17@$data@H_404_17@); @H_404_17@@H_404_17@
- echo@H_404_17@ @H_404_17@'<script>alert("上传成功");</script>'@H_404_17@; @H_404_17@@H_404_17@
- echo@H_404_17@ @H_404_17@'<script>window.location.href="'@H_404_17@.@H_404_17@$data@H_404_17@[@H_404_17@'base_url'@H_404_17@].@H_404_17@'";</script>'@H_404_17@; @H_404_17@@H_404_17@
原理大致是这样的,获取上传文件的文件名,然后通过explode()函数来分割文件名以获取后缀,得到后缀之后与允许上传类型做比较,最后上传.
讲到上传,我又想到了原来那个特别流行的MIME上传漏洞.很简单,当网站判断上传文件类型时只判断MIME类型那么就会造成上传漏洞.因为上传时服务器得到的MIME类型是从客户端发过来的,也就是说MIME类型的值是可以被用户控制的,攻击者克构造虚假的MIME类型来上传webshell.
