Max's Image Uploader Shell Upload Vulnerability

PHP F1 Max's Image Uploader 1.0版本的maxImageUpload/index.php中存在无限制文件上传漏洞。 当Apache未被设置来处理具有pjpeg或jpeg扩展名的拟态文件时，远程攻击者可以通过上传具有一个pjpeg或jpeg扩展名的文件，执行任意代码，并借助对original/的一个直接请求来访问该文件。 问题在maxImageUpload.class.php中的 ``` function uploadImage(){ $result = true; if (!isset($_POST['submitBtn'])){ $this->showUploadForm(); } else { $msg = ''; $error = ''; //Check image type. Only jpeg images are allowed if ( (($_FILES['myfile']['type'])=='image/pjpeg') || (($_FILES['myfile']['type'])=='image/jpeg')) { // Check the output directories if ($this->checkDirs()){ $target_path = $this->originalDir . basename( $_FILES['myfile']['name']); if(@move_uploaded_file($_FILES['myfile']['tmp_name'], $target_path)) { $msg = basename( $_FILES['myfile']['name']). " (".filesize($target_path)." bytes) was stored!"; } else{ $error = "The upload process failed!"; $result = false; } // Store resized images if ($result){ $this->setMemoryLimit($target_path); // Create normal size image $dest = $this->normalDir.$this->normalPrefix.basename($_FILES['myfile']['name']); $this->resizeImage($target_path,$dest,$this->normalWidth,$this->normalHeight,$this->imageQualityNormal); $msg .= "<br/>".basename($dest)." (".filesize($dest)." bytes) was stored!"; // Create thumbnail image $dest = $this->thumbDir.$this->thumbPrefix.basename($_FILES['myfile']['name']); $this->resizeImage($target_path,$dest,$this->thumbWidth,$this->thumbHeight,$this->imageQualityThumb); $msg .= "<br/>".basename($dest)." (".filesize($dest)." bytes) was stored!"; } } } else { echo "Only jpeg images are allowed!"; } $this->showUploadForm($msg,$error); } } ``` 其中通过 ``` if ( (($_FILES['myfile']['type'])=='image/pjpeg') || (($_FILES['myfile']['type'])=='image/jpeg')) { ``` 来检查文件格式，通过修改header的 ``` Content-Type: image/jpeg ``` 可以绕过限制从而上传任意格式文件，包括webshell 文件将上传至host/maxImageUpload/original/下 通过访问host/maxImageUpload/original/webshell.php来getshell