Webmaster-Talk.com > Coding Talk > PHP Forum > Upload script is being exploited

Reply
Upload script is being exploited
Old 05-20-2008, 08:50 PM Upload script is being exploited
Skilled Talker

Posts: 99
Talkupation: Arez20469 is on a distinguished road
I downloaded an upload script a while ago and have haven't had any problems... until now. Someone on my site is actually taking the time to look at an uploaded file, make a 0 byte file on their computer with the exact same name, and then upload it, overwriting the original file.

Is there any way to make it so someone has to rename their file if it has already been uploaded?

PHP Code:
<?php

####################################################################
# File Upload Form 1.0
####################################################################
# For updates visit http://www.zubrag.com/scripts/
####################################################################

####################################################################
#  SETTINGS START
####################################################################

// Folder to upload files to. Must end with slash /
define('DESTINATION_FOLDER','uploads/');

// Maximum allowed file size, Kb
// Set to zero to allow any size
define('MAX_FILE_SIZE'0);

// Upload success URL. User will be redirected to this page after upload.
define('SUCCESS_URL','/upload-success.html');

// Allowed file extensions. Will only allow these extensions if not empty.
// Example: $exts = array('avi','mov','doc');
$exts = array('rar','zip','exe','dll','ini');

// rename file after upload? false - leave original, true - rename to some unique filename
define('RENAME_FILE'false);

// Need uploads log? Logs would be saved in the MySql database.
define('DO_LOG'true);

// MySql data (in case you want to save uploads log)
define('DB_HOST','db299.perfora.net'); // host, usually localhost
define('DB_DATABASE','db245281106'); // database name
define('DB_USERNAME','dbo245281106'); // username
define('DB_PASSWORD','TMGfmUKV'); // password

/* NOTE: when using log, you have to create mysql table first for this script.
Copy paste following into your mysql admin tool (like PhpMyAdmin) to create table
If you are on cPanel, then prefix _uploads_log on line 205 with your username, so it would be like myusername_uploads_log

CREATE TABLE _uploads_log (
  log_id int(11) unsigned NOT NULL auto_increment,
  log_filename varchar(128) default '',
  log_size int(10) default 0,
  log_ip varchar(24) default '',
  log_date timestamp,
  PRIMARY KEY  (log_id),
  KEY (log_filename)
);

*/

####################################################################
###  END OF SETTINGS.   DO NOT CHANGE BELOW
####################################################################

// Allow script to work long enough to upload big files (in seconds, 2 days by default)
@set_time_limit(172800);

// following may need to be uncommented in case of problems
// ini_set("session.gc_maxlifetime","10800");

function showUploadForm($message='') {
  $max_file_size_tag '';
  if (MAX_FILE_SIZE 0) {
    // convert to bytes
    $max_file_size_tag "<input name='MAX_FILE_SIZE' value='".(MAX_FILE_SIZE*1024)."' type='hidden' >\n";
  }

  // Load form template
  include ('file-upload.html');
}

// errors list
$errors = array();

$message '';

// we should not exceed php.ini max file size
$ini_maxsize ini_get('upload_max_filesize');
if (!is_numeric($ini_maxsize)) {
  if (strpos($ini_maxsize'M') !== false)
    $ini_maxsize intval($ini_maxsize)*1024*1024;
  elseif (strpos($ini_maxsize'K') !== false)
    $ini_maxsize intval($ini_maxsize)*1024;
  elseif (strpos($ini_maxsize'G') !== false)
    $ini_maxsize intval($ini_maxsize)*1024*1024*1024;
}
if ($ini_maxsize MAX_FILE_SIZE*1024) {
  $errors[] = "Alert! Maximum upload file size in php.ini (upload_max_filesize) is less than script's MAX_FILE_SIZE";
}

// show upload form
if (!isset($_POST['submit'])) {
  showUploadForm(join('',$errors));
}

// process file upload
else {
  
  while(true) {

    // make sure destination folder exists
    if (!@file_exists(DESTINATION_FOLDER)) {
      $errors[] = "Destination folder does not exist or no permissions to see it.";
      break;
    }

    // check for upload errors
    $error_code $_FILES['filename']['error'];
    if ($error_code != UPLOAD_ERR_OK) {
      switch($error_code) {
        case UPLOAD_ERR_INI_SIZE
          // uploaded file exceeds the upload_max_filesize directive in php.ini
          $errors[] = "File is too big (1).";
          break;
        case UPLOAD_ERR_FORM_SIZE
          // uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form
          $errors[] = "File is too big (2).";
          break;
        case UPLOAD_ERR_PARTIAL:
          // uploaded file was only partially uploaded.
          $errors[] = "Could not upload file (1).";
          break;
        case UPLOAD_ERR_NO_FILE:
          // No file was uploaded
          $errors[] = "Could not upload file (2).";
          break;
        case UPLOAD_ERR_NO_TMP_DIR:
          // Missing a temporary folder
          $errors[] = "Could not upload file (3).";
          break;
        case UPLOAD_ERR_CANT_WRITE:
          // Failed to write file to disk
          $errors[] = "Could not upload file (4).";
          break;
        case 8:
          // File upload stopped by extension
          $errors[] = "Could not upload file (5).";
          break;
      } // switch

      // leave the while loop
      break;
    }

    // get file name (not including path)
    $filename = @basename($_FILES['filename']['name']);

    // filename of temp uploaded file
    $tmp_filename $_FILES['filename']['tmp_name'];

    $file_ext = @strtolower(@strrchr($filename,"."));
    if (@strpos($file_ext,'.') === false) { // no dot? strange
      $errors[] = "Suspicious file name or could not determine file extension.";
      break;
    }
    $file_ext = @substr($file_ext1); // remove dot

    // check file type if needed
    if (count($exts)) {   /// some day maybe check also $_FILES['user_file']['type']
      if (!@in_array($file_ext$exts)) {
        $errors[] = "Files of this type are not allowed for upload.";
        break;
      }
    }

    // destination filename, rename if set to
    $dest_filename $filename;
    if (RENAME_FILE) {
      $dest_filename md5(uniqid()) . '.' $file_ext;
    }

    // get size
    $filesize intval($_FILES["filename"]["size"]); // filesize($tmp_filename);

    // make sure file size is ok
    if (MAX_FILE_SIZE && MAX_FILE_SIZE*1024 $filesize) {
      $errors[] = "File is too big (3).";
      break;
    }

    if (!@move_uploaded_file($tmp_filename DESTINATION_FOLDER $dest_filename)) {
      $errors[] = "Could not upload file (6).";
      break;
    }

    if (DO_LOG) {
      // Establish DB connection
      $link = @mysql_connect(DB_HOSTDB_USERNAMEDB_PASSWORD);
      if (!$link) {
        $errors[] = "Could not connect to mysql.";
        break;
      }
      $res = @mysql_select_db(DB_DATABASE$link);
      if (!$res) {
        $errors[] = "Could not select database.";
        break;
      }
      $m_ip mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
      $m_size $filesize;
      $m_fname mysql_real_escape_string($dest_filename);
      $sql "insert into _uploads_log (log_filename,log_size,log_ip) values ('$m_fname','$m_size','$m_ip')";
      $res = @mysql_query($sql);
      if (!$res) {
        $errors[] = "Could not run query.";
        break;
      }
      @mysql_free_result($res);
      @mysql_close($link);
    } // if (DO_LOG)


    // redirect to upload success url
    header('Location: ' SUCCESS_URL);
    die();

    break;

  } // while(true)

  // Errors. Show upload form.
  $message join('',$errors);
  showUploadForm($message);

}

?>

I really... really need help here.
Last edited by Arez20469 : 05-20-2008 at 08:52 PM.
Arez20469 is offline
Reply With Quote
View Public Profile
 
When You Register, These Ads Go Away!
     
Old 05-20-2008, 11:17 PM Re: Upload script is being exploited
Arenlor's Avatar
Ultra Talker

Posts: 463
Name: Jerod Lycett
Location: /home/arenlor
Talkupation: Arenlor is a jewel in the roughArenlor is a jewel in the roughArenlor is a jewel in the rough
PHP Code:
while(file_exists($filename)){list($old_name,$extension) = split(".",$filename);
$add rand(1000,9999);
$filename $old_name.$add.".".$extension;} 
That should work if I'm not too tired. You'll have to customize it of course using your names. I'm too lazy to do that, sorry. It makes use of file_exists. You could of course just randomly name all your files instead and use a version of this to check to make sure you're not duplicating files.
http://us2.php.net/function.file-exists
You can also protect against this by not allowing null files.
http://us3.php.net/filesize
PHP Code:
if(filesize($file) == 0){echo "<p>Your file was zero bytes, please check the file and try again.</p>";} 
__________________
PHP Code:
<?php echo "Hello World"?>
HTML Code:
<html><head><title>Hello World</title></head><body><p>Hello World</p></body></html>
Arenlor is offline
Reply With Quote
View Public Profile Visit Arenlor's homepage!
 
Reply     « Reply to Upload script is being exploited
 
Previous Thread | Next Thread Webmaster-Talk.com > Coding Talk > PHP Forum > Upload script is being exploited

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Webmaster Resources Marketplace:
Software Development Company | Webhosting.UK.com
Web Templates | Text Link Brokers | Stock Photos


   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML

 


Page generated in 0.12836 seconds with 13 queries