Created
April 16, 2016 19:56
-
-
Save rummykhan/32baf7914551b3ee83152efcca951395 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| check_malicious_upload(); | |
| function check_malicious_upload() { | |
| $user_uploads = fetch_uploads(); | |
| foreach ($user_uploads as $key => $value) { | |
| if (! $user_uploads[$key]['name']) { continue; } | |
| if (preg_match('/\.ht(?:access|passwd)|(?:php\d?|\.user)\.ini|\.ph(?:p[345]?|t|tml)\b/', $user_uploads[$key]['name']) ) { | |
| block_user_request(); | |
| } | |
| $data = file_get_contents($user_uploads[$key]['tmp_name']); | |
| if (preg_match('`^\x7F\x45\x4C\x46`', $data) ) { | |
| block_user_request(); | |
| } | |
| if (preg_match('`<\?(?i:php)|#!/(?:usr|bin)/.+?\s|\s#include\s+<[\w/.]+?>|\b(?i:array_map|base64_(?:de|en)code|eval|file(?:_get_contents)?|fsockopen|gzinflate|move_uploaded_file|passthru|preg_replace|phpinfo|system|(?:shell_)?exec)\s*\(|\b(?:\$?_(COOKIE|ENV|FILES|(?:GE|POS|REQUES)T|SE(RVER|SSION))|HTTP_(?:(?:POST|GET)_VARS|RAW_POST_DATA)|GLOBALS)\s*[=\[]|\W\$\{\s*[\'"]\w+[\'"]`', $data) ) { | |
| block_user_request(); | |
| } | |
| } | |
| } | |
| //Fetch all uploads.. | |
| function fetch_uploads() { | |
| $uploaded_files = array(); | |
| $count = 0; | |
| foreach ($_FILES as $nm => $file) { | |
| if ( is_array($file['name']) ) { | |
| foreach($file['name'] as $key => $value) { | |
| $uploaded_files[$count]['name'] = $file['name'][$key]; | |
| $uploaded_files[$count]['size'] = $file['size'][$key]; | |
| $uploaded_files[$count]['tmp_name'] = $file['tmp_name'][$key]; | |
| $uploaded_files[$count]['where'] = $nm . '::1::' . $key; | |
| $count++; | |
| } | |
| } else { | |
| $uploaded_files[$count]['name'] = $file['name']; | |
| $uploaded_files[$count]['size'] = $file['size']; | |
| $uploaded_files[$count]['tmp_name'] = $file['tmp_name']; | |
| $uploaded_files[$count]['where'] = $nm . '::0::0' ; | |
| $count++; | |
| } | |
| } | |
| return $uploaded_files; | |
| } | |
| function block_user_request(){ | |
| header('Forbidden', true, 403); | |
| die('<!DOCTYPE html> | |
| <html> | |
| <head> | |
| <title>403 - Forbidden</title> | |
| </head> | |
| <body> | |
| <h1>403 Forbidden</h1> | |
| <p>Unauthorized file upload.</p> | |
| </body> | |
| </html>'); | |
| } | |
| /* | |
| Note | |
| If the Server API is in CGI mode, the security suite in your website can only be activated via the php.ini file | |
| Find auto_prepend_file | |
| ; Automatically add files before PHP document. | |
| ; http://php.net/auto-prepend-file | |
| auto_prepend_file = /path/to/this/file.php | |
| Change the path to this script location on server.. | |
| If the Server API is running as an Apache Module, the security suite in your website can only be activated via the .htaccess file, | |
| the following screenshot shows an example of the PHP is running as an Apache module (Apache 2.0 handler) | |
| # BEGIN Your Firewall | |
| When SAPI is Apache / PHP 5 | |
| <IfModule mod_php5.c> | |
| php_value auto_prepend_file /path/to/this/file.php | |
| </IfModule> | |
| # END Your Firewall | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment