0

I have this code for upload images , When i try to use burpsuite to see what happens , i can see response from this code showing the location of folder where its uploaded , how i can hide this from the response , so the customer cant see where is the files been uploaded in the server, also how i can fix , stop the upload php files ? when i change the method to . Content-Type: php/image , the file is uploaded with end of .php is there any fix for this code?

thanks!

 <?php
    ini_set('display_errors', 0);
    ini_set('error_reporting',0);
    include "query_requests.php";

    function dd($data)
    {
        var_dump($data);
        die();
    }
    


    $target_dir = "uploads2/";
    $target_file = $target_dir . basename($_FILES["uploadfile"]["name"]);
    $id = $_GET['id'];
    $imgName=$id.".".explode('/',$_FILES['uploadfile']["type"])[1];
    $imgID = $_GET['imgID'];
    $_SESSION['imgext']=explode('/',$_FILES['uploadfile']["type"])[1];
    $imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
    $target_file = $target_dir . $id."_pic".".".explode('/',$_FILES['uploadfile']["type"])[1];

    if(file_exists($target_file)) {
        chmod($target_file,0755); //Change the file permissions if allowed
        unlink($target_file); //remove the file
    }
    $uploadOk = 1;
    if (isset($_POST["submit"])) {
        $check = getimagesize($_FILES["uploadfile"]["tmp_name"]);
        if ($check !== false) {
            echo "File is an image - " . $check["mime"] . ".";
            $uploadOk = 1;
        } else {
            echo "File is not an image.";
            $uploadOk = 0;
        }
    }

    $size = $_FILES["uploadfile"]["size"];

    if( strcmp($imageFileType,"jpg") == 0  || strcmp($imageFileType,"png") == 0 || strcmp($imageFileType,"jpeg") == 0){


    } else{
        exit(json_encode(array('success' => false, 'msg' => "", 'ext' =>
$imageFileType, 'size' => $size)));

    }
    if ($uploadOk == 0) {
        echo "Sorry, your file was not uploaded.";

    } else {

        $imagetype = $_FILES['uploadfile']["type"];

        if (move_uploaded_file($_FILES["uploadfile"]["tmp_name"], $target_file)) {
            $path = realpath($target_file);
            $curl = curl_init();
   
            curl_setopt_array($curl, array(
                CURLOPT_URL => 'http://',
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_ENCODING => '',
                CURLOPT_MAXREDIRS => 10,
                CURLOPT_TIMEOUT => 0,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
                CURLOPT_CUSTOMREQUEST => 'POST',
                CURLOPT_HTTPHEADER => array(''),
                CURLOPT_POSTFIELDS => array('Image' => new CURLFile($path, $_FILES['uploadfile']["type"], $imgName)),

            ));


            $response = curl_exec($curl);
            $resDec=json_decode($response,1);
            $ident='';
            if($resDec['responseCode']==0){
                $ident=str_replace(' ','',$resDec['results']['id']);
                $ident=trim($ident);
            }

            $imageType=$_FILES["uploadfile"]["type"];
            $condition = " random_id=:random_id ";
            $bind = array('random_id' =>$_GET['id']);

            $identity = findFirst('idintities', $condition, $bind)->fetch();
            if($identity){
                update(array('random_id'=>$id,'json_info'=>$response,'id_num'=>$ident,'img_ext'=>$imageType),$condition,$bind,'idintities');

            }else{
                insertRequest(array('random_id'=>$id,'json_info'=>$response,'id_num'=>$ident,'img_ext'=>$imageType),'idintities');

            }

            $validId = $imgID == $ident ? 1: 0;

      echo json_encode(array('success' => true, 'size' => $size, 'target' => $target_file, 'validId' => $validId, 'info' => $resDec));

        } else {
        
            exit(json_encode(array('success' => false, 'msg' => "\"Sorry, there was an error uploading your file.", 'size' => $size)));


        }

    }
?>

code part of html to upload file image ,

 (progressBar = document.getElementById("progressBar")), (progressOuter = document.getElementById("progressOuter")), (msgBox = document.getElementById("msgBox"));
            var identValid = true;
            var btn = document.getElementById("uploadBtn");
            var uploader = new ss.SimpleUpload({
                button: btn,
                url: "upload.php?id=",
                name: "uploadfile",
                multipart: true,
                hoverClass: "hover",
                focusClass: "focus",
                responseType: "json",
                startXHR: function () {
                    progressOuter.style.display = "block";
                    this.setProgressBar(progressBar);
                },
Forten
  • 1
  • 3
  • For "burpsuite" see: https://portswigger.net/burp – KIKO Software Oct 03 '22 at 13:34
  • When the browser uploads images then have to go somewhere. That somewhere is an URL, you cannot hide that, not even if you use AJAX to upload the images in the background. – KIKO Software Oct 03 '22 at 13:38
  • @KIKOSoftware Thanks for trying to help , but my question is how to fix and hide the responses , from this upload code image! – Forten Oct 03 '22 at 13:38
  • @KIKOSoftware ok how i can then stop uploading php files? – Forten Oct 03 '22 at 13:39
  • 1
    It's better to ask a single, clear, question, per question you post here. – KIKO Software Oct 03 '22 at 13:42
  • @KIKOSoftware I dont need to delete the code , i need to use it but i just need to stop people from uploading php extension files , and only allow jpg , png , jpeg , and block other things! like php , html – Forten Oct 03 '22 at 13:42
  • There you are, Google knows: https://stackoverflow.com/questions/10456113/check-file-extension-in-upload-form-in-php – KIKO Software Oct 03 '22 at 13:43
  • @KIKOSoftware Can you pleas tell me where should be added in my code ? $allowed = array('gif', 'png', 'jpg'); $filename = $_FILES['video_file']['name']; $ext = pathinfo($filename, PATHINFO_EXTENSION); if (!in_array($ext, $allowed)) { echo 'error'; } – Forten Oct 03 '22 at 14:02
  • If you wrote the code in your question this should be obvious. There are several places you could do it. How about near where you check the size of the uploaded file? – KIKO Software Oct 03 '22 at 14:53
  • Probably relevant in light of the comment made above `" i just need to stop people from uploading php extension files"` [is this article?](https://portswigger.net/web-security/file-upload) – Professor Abronsius Oct 03 '22 at 14:53
  • @KIKOSoftware Not working , any way to help me add the code pleas? – Forten Oct 04 '22 at 12:43

2 Answers2

0

Here's how you can add the check into your code:

$uploadOk = 1;
if (isset($_POST["submit"])) {
    $check = getimagesize($_FILES["uploadfile"]["tmp_name"]);
    if ($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
    $filename = $_FILES['video_file']['name'];
    $ext = pathinfo($filename, PATHINFO_EXTENSION);
    if ($ext == 'php') {
        echo 'error: You should not upload PHP files.';
        $uploadOk = 0;
    }
}

Please note that this code only looks at the extension of the file that was uploaded. Extensions can be changed, so they don't necessarily reflect the content of the file.

KIKO Software
  • 15,283
  • 3
  • 18
  • 33
  • in my case the Extensions are blocked, The problem is when you change the Content-Type: php/image to this content , it will upload extensions automatic with .php , even if the real file image is uploaded with .jpeg , its change it to .php , so in this case i will try , like this to add the code $filename = $_FILES["uploadfile"]["tmp_name"]; $ext = pathinfo($filename, PATHINFO_EXTENSION); if ($ext == 'php') { echo 'error: You should not upload PHP files.'; $uploadOk = 0; } } – Forten Oct 04 '22 at 13:12
  • @Forten There's no guarantee that the temporary file will have the same extension as the uploaded file, that's why I used `name` instead of `tmp_name`. I also must point out that in the code I wrote, if the uploaded file is not an image, it is also rejected. So the code I added does nothing, except generate an error message. – KIKO Software Oct 04 '22 at 13:18
  • i just add the code as its , and nothing happens its uploaded the file with .php didnt work! – Forten Oct 04 '22 at 13:49
0

You have so many issues with your code I do not know where to begin.
And you need to clarify what it is you are trying to do

You should show your upload HTML.

The following is an app where the user uploads an image, the image is converted to a webp image and transmitted to a PHP script and saved as a .webp image.

The HTML

<form action="upload.php" method="post" enctype="multipart/form-data">
Upload an Image from your device <br>
<input type="file" name="image1[]" multiple accept="image/png, image/jpeg, image/gif, image/webp" /><br>
<button type="submit">Upload Image(s)</button>

The upload.php

if( is_uploaded_file($_FILES['image1']['tmp_name']) || !($_FILES['image1']['error'] !== UPLOAD_ERR_OK)){

  $save = false;
  switch(strtolower($_FILES['image1']['type'])){
  case 'image/jpeg':
    $image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
    if ($image !== false){$save = true;break;}
  case 'image/png':
    $image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
    if ($image !== false){$save = true;break;}
  case 'image/gif':
    $image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
    if ($image !== false){$save = true;break;}
  case 'image/webp':
    $image = @imagecreatefromwebp($_FILES['image1']['tmp_name']);
    if ($image !== false){$save = true;break;}
  default:
    $img = @getimagesize($_FILES['image1']['tmp_name']);
    switch(strtolower($img['mime'])){
    case 'image/jpeg':
      $image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
      if ($image !== false){$save = true;break;}
    case 'image/png':
      $image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
      if ($image !== false){$save = true;break;}
    case 'image/gif':
      $image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
      if ($image !== false){$save = true;break;}
    default:
      $filename = $_FILES['image1']['name'];
      $ext = substr($filename,-3);
      switch(strtolower($ext)){
      case 'jpg':
        $image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
        if ($image !== false){$save = true;break;}
      case 'ebp':
        $image = @imagecreatefromwebp($_FILES['image1']['tmp_name']);
        if ($image !== false){$save = true;break;}
      case 'gif':
        $image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
        if ($image !== false){$save = true;break;}
      case 'png':
        $image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
        if ($image !== false){$save = true;break;}
      default:
        $image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
        if ($image !== false){$save = true;break;}
        $image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
        if ($image !== false){$save = true;break;}
        $image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
        if ($image !== false){$save = true;break;}
      }
    }
    if($save){imagewebp($image, $filename,70);}
    $post= base64_encode($image);
    $curl = curl_init($url);
    $request = array();
    $request[] = "Content-Type: text/plain" ;
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $request);
    curl_setopt($ch, CURLOPT_ENCODING,"");

    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_TIMEOUT,10);
    curl_setopt($ch, CURLOPT_FAILONERROR,true);
    curl_setopt($ch, CURLOPT_ENCODING,"");

    $response = curl_exec($ch);
    echo $response;

The receiving script ($url)

$base64 = file_get_contents('php://input');
$image = base64_decode($base64);
$filename = 'image.webp';
file_put_contents($filename,$image)
Misunderstood
  • 5,534
  • 1
  • 18
  • 25
  • thanks for reply i edit the code of html upload , but the files cant uploaded with .php , only it works when you change the content type to : php/jpeg , and your code will change all process , my code is used to verify id of customer using his image , is there any other fix ? – Forten Oct 05 '22 at 17:23