π― 곡격 μλ리μ€
1. λλΈ νμ₯μ 곡격
uploadλ shell.php.jpg:
AddType application/x-httpd-php .php # Apache μ€μ
νμΌ: shell.php.jpg
β οΈ Apacheλ μ°μΈ‘λΆν° νμ₯μ μΈμ
β .jpgλ‘ λ¨Όμ μ²΄ν¬ (νμ©), κ·Έ λ€μ .phpλ‘ μΈμ (μ€ν)
2. MIME νμ
κ²μ¦ μ°ν
μ΄λ―Έμ§ νμΌμ λ§€μ§ λλ²(ν€λ) + PHP μ½λ νΌν©:
$ xxd image.jpg | head
FFD8 FFE0 0010 JFIF 0001 0100 ... (JPEG ν€λ)
νμΌ λμ PHP μ½λ μΆκ°:
<?php system($_GET['cmd']); ?>
β MIME νμ
μ image/jpegλ‘ μΈμ, νμ§λ§ νΉμ μ€μ μμ PHPλ‘ μ€ν
3. μ¬λ³Όλ¦ λ§ν¬ 곡격
λ―Όκ°ν νμΌμ μ κ·Ό:
ln -s /etc/passwd uploads/secret.jpg
β /uploads/secret.jpg μ κ·Ό μ /etc/passwd λ΄μ© 곡κ°
ln -s /var/www/html/.env uploads/env.jpg
β DB λΉλ°λ²νΈ, API ν€ λ
ΈμΆ
β
λ°©μ΄ λ°©λ²
1. νμ₯μ νμ΄νΈλ¦¬μ€νΈ:
$allowed = ['jpg', 'png', 'gif'];
$ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($ext, $allowed)) die('Not allowed');
2. MIME νμ
κ²μ¦:
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
$allowed_mimes = ['image/jpeg', 'image/png'];
if (!in_array($mime, $allowed_mimes)) die('Invalid MIME');
3. μ¬λ³Όλ¦ λ§ν¬ κ²μ¦:
if (is_link($destination)) die('Symlinks not allowed');
4. μμ ν νμΌ μ μ₯:
// μΉ λ£¨νΈ λ°μ μ μ₯
$upload_dir = '/var/uploads/'; // /var/www/html λ°
// λλ νμΌλͺ
μ¬μμ±
$new_name = uniqid() . '_' . bin2hex(random_bytes(8)) . '.jpg';
5. μΉ μλ² μ€μ :
# Apache .htaccess
<Files ~ "\.jpg$">
AddType text/plain .jpg
</Files>