Range is red safe https://www.ripstech.com/php-security-calendar-2017/ PHP SECURITY CALENDAR 2017
The cause is a recent study that the network penetration, and asked Qin seniors want a tool, he asked: "do you audit the source code yet," I said: "No," he: "can begin," Me: "Yes."
Although I am still very human food but obedient Well, source code audits only when ctf do question will look, not specifically trained to find time, but feel that they do not familiar with the source code, but the system development time and learning and sell it. Xiao Huang students recommended red safe shooting range, then learn it (the way and then note some possible loopholes and has nothing but the source code related to the php function will be familiar with the long hee hee)
Such a source is
class Challenge { const UPLOAD_DIRECTORY = './solutions/'; private $file; private $whitelist; public function __construct($file) { $this->file = $file; $this->whitelist = range(1, 24); } public function __destruct() { if (in_array($this->file['name'], $this->whitelist)) { move_uploaded_file( $this->file['tmp_name'], self::UPLOAD_DIRECTORY . $this->file['name'] ); } } } $challenge = new Challenge($_FILES['solution']);
A member variable or method in the access PHP class, method, or if the variable declared as referenced const (defined constants) or static (static statement), then we must use the operator ::, whereas if the referenced variable or method is not declared as const or static, then the operator must use the ->.
move_uploaded_file to upload files to a new location.
This is an arbitrary file upload vulnerability, which led to the occurrence of this vulnerability is unsafe to use in_array () function to detect the uploaded file names. Because this function is not the third parameter set to true, this could lead to an attacker to bypass testing services by the end of the file name structure, such as a file named 7shell.php. When using the in_array because PHP () function is determined, it will be forced into a digital 7shell.php 7, and the number 7 in the range (1,24) in the array, the final bypassing the in_array () function to determine, arbitrary files upload vulnerability. (The reason here casts occur, because the target number of elements in the array type, a weak comparison. If the third parameter is set to true, the type will compare the first two parameters are the same)
(*)repair
The reason for this vulnerability is relatively weak type of problem, then you can use a strong match for repair. For example, the in_array () function of the third parameter is set to true, or by using the intval () function into digital variable intensity, or use a regular matching process variables.
reference: