jQuery

elevateZoom (Requires jQuery)

Microsoft Store (Donation)


Facebook Messenger (Donation)


Many donors of this blog prefer to donate their money through Facebook Messenger!

Click here to go to this blog's Facebook Page!

Thank you!

Activation Code - Donation (Multiple Options)



Donate

Request Web\PHP\JavaScript\HTML Project !

Contact us if you want us to develop a Web\PHP\JavaScript\HTML project for you!

Advertise On This Blog!

If you want a Product\Service\Event to be advertised on this blog, feel free to contact us!

Ads (Reserved)

Saturday, January 16, 2021

[PHP] Upload Spoofed Files

"spoofed.jpg.php" is a spoofed "jpg" file with a "php" code appended at the end of the image-binary-data with "HxD" binary\hex editor tool!

Extension check is useful to prevent files to be stored in the server with dangerous extensions such as ".php,.xml,.html, etc"!

"mime_content_type" and "exif_imagetype" should be used for identification purposes only, not for security purposes!

The above functions should not be used for security purposes because both of them allow spoofed files!

A spoofed file is, for example, a "jpg" image file with a "php" code appended at the end of the image-binary-data!

This page just demonstrates a simple example on how it's dangerous to use "$_FILES['file']['name']" with "mime_content_type" or "exif_imagetype" functions!

Download the files below and do your own tests:
https://www.mediafire.com/file/zm9q2a7uoel2zn9/PHP_-_Upload_Spoofed_Files.rar/file

 


at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

ADS - Multi Share Calculator

https://windowsportableapps.blogspot.com/2019/03/multi-share-calculator.html