Hacking a website by uploading files

[subornaakter24]

One of the main principles of site security is distrust of any incoming information , even despite preliminary data verification using JavaScript in the user's browser. Even if it is the name (User-Agent) of the user's browser or a cookie that the site set earlier. The fact is that all incoming information can be forged.

For example, one of the popular forum engines was previously hacked by hackers by sending a request with a forged cookie, which caused an SQL injection (more on that later).

Since this article describes the hacking methods rather superficially, if necessary, it makes sense to learn more about them on the Internet.


There are sites that allow users to upload their direct mail marketing for personal injury email list own files - for example, photographs or JPEG images. Instead of a photo, an executable file may be uploaded to the site, so it is necessary to impose a limit on the type of files that can be uploaded.

Uploading files

When uploading a file, PHP returns the mime type of the file in the $_FILES['userfile']['type'] variable, which for a JPEG image is image/jpeg. It might seem that checking this type is enough to be sure that an image has been uploaded. Another idea is to try to read the image file using the getimagesize or imagecreatefromjpeg functions. However, the file type is determined based on the content here, so a valid JPEG image saved with the .php extension will be detected as image/jpeg. And will have a name in the format xxxxx.php.

The web server that decides on the handler for a particular file evaluates the extension. The fraudster uses an image and appends a PHP script to the end (or to the EXIF ​​data), and the server executes it, and the site is hacked.

It turns out that security control is carried out by studying the file extension. Checking files by defining mime-type and opening with the getimagesize function is only worthwhile to identify garbage, which in itself does not harm the site, but is not an image.

In addition, files can end up in a directory that is not accessible to users. They are given via a script. But this leads to a more serious load on the server and requires the implementation of basic web server functionality (issuing the last modification date and response to conditional requests like "If-Modified-Since", issuing correct mime-types and support for download resumption).

It is also possible to prohibit script execution using the RemoveHandler directive in the web server settings for the folder with user files, but this will require the developer to specify a huge number of extensions for files of all handlers supported by a specific web server. As a result, some new or not very well-known handler may be missed.

Register Globals

Register Globals

PHP has a "Register Globals" functionality — automatic creation of variables when they are received in a request (GET, POST, COOKIE). The script <?php echo $a;?>, which is called as script.php?a=hello, will print "hello" with register_globals enabled. If a specialist does not monitor the initial initialization of variables, a vulnerability may occur. It looks like this: