第一关
1.看到文件上传框,先上传一张正常图片进行测试。查看网页源代码,获得图片上传的路径,可知在www目录下的upload目录下,冰蝎连接时直接url为http:192.168.139.131:8888/upload/shell.php
2.上传shell.php 一句话木马,出现报错,可使用burpsuit拦截包查看,发现无法拦截包就已经弹框,可确认这是前端验证
3.绕过前端验证,更改shell.php为shell.jpg,然后利用bp拦截包,将后缀更改回来,绕过前端验证
4.上传成功
5.使用冰蝎连接shell
6.源代码展示
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
//选取第一个name=upload_file的input框中的值。赋值给file
if (file == null || file == "") {//当没有选择文件时,展示提示信息
alert("请选择要上传的文件!");//提示信息
return false;
}//选择文件的函数
//假设上传shell.php
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
//lastIndexOf(),返回最后一次出现字符串的位置(从0开始计数)
//substring(),从指定位置提取字符串到最后
var ext_name = file.substring(file.lastIndexOf("."));
//ext_name=".php"
//判断上传文件类型是否允许上传
//返回指定字符串首次出现的位置,没有出现返回-1
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
//if判断.php在allow_ext首次出现的位置,结果返回-1
第二关
1.看到文件上传框,先上传一张正常图片进行测试。查看网页源代码,查看图片上传的路径,可知在www目录下的upload目录下,冰蝎连接时直接url为http:192.168.139.131:8888/upload/shell.php
2.上传shell.php 一句话木马,出现报错,可使用burpsuit拦截包查看,更改content-type(该方法成功率低,请上传shell.jpg,然后用bp改后缀)
text/html : HTML格式
text/plain :纯文本格式
text/xml : XML格式
image/gif :gif图片格式
image/jpeg :jpg图片格式
image/png:png图片格式
以application开头的媒体格式类型:
application/xhtml+xml :XHTML格式
application/xml: XML数据格式
application/atom+xml :Atom XML聚合格式
application/json: JSON数据格式
application/pdf:pdf格式
application/msword : Word文档格式
application/octet-stream : 二进制流数据(如常见的文件下载)
application/x-www-form-urlencoded : <form encType=””>中默认的encType,form表单数据被编码为key/value格式发送到服务器(表单默认的提交数据的格式)
另外一种常见的媒体格式是上传文件之时使用的:
multipart/form-data : 需要在表单中进行文件上传时,就需要使用该格式
3.利用冰蝎连接
4.代码展示
$is_upload = false;
$msg = null;
//file_exists()函数用来检查文件或目录是否存在
/*
$_FILES['myFile']['name'] 客户端文件的原名称。
$_FILES['myFile']['type'] 文件的 MIME 类型,需要浏览器提供该信息的支持,例如"image/gif"。
$_FILES['myFile']['size'] 已上传文件的大小,单位为字节。
$_FILES['myFile']['tmp_name'] 文件被上传后在服务端储存的临时文件名,一般是系统默认。可以在php.ini的upload_tmp_dir 指定,但 用 putenv() 函数设置是不起作用的。
$_FILES['myFile']['error'] 和该文件上传相关的错误代码。['error'] 是在 PHP 4.2.0 版本中增加的。下面是它的说明:(它们在PHP3.0以后成了常量)
*/
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
//这里upload_file要和input框的name保持一致
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
//move_uploaded_file() 函数将上传的文件移动到新位置。
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
第三关
1.上传shell.php文件发现报错
2.Apache扩展解析,Apache新增扩展解析文件后缀如phtml
,php1
,php2
,php3
等绕过黑名单
3.上传成功
4.代码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
//trim() 函数移除字符串两侧的空白字符或其他预定义字符。
/*
预定义字符
"\0" - NULL
"\t" - 制表符
"\n" - 换行
"\x0B" - 垂直制表符
"\r" - 回车
" " - 空格
*/
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
//确保file_name是形似shell.php的字符串
/*
strrchr() 函数查找字符串在另一个字符串中最后一次出现的位置,并返回从该位置到字符串结尾的所有字 符。
*/
$file_ext = strrchr($file_name, '.');//返回文件后缀名
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);
/*
在window的时候如果文件名+"::$DATA"会把::$DATA之后的数据当成文件流处理,不会检测后缀名,且 保持::$DATA之前的文件名,他的目的就是不检查后缀名
注:这里存在漏洞,str_ireplace 只会将去除一次$file_ext中的::DATE ,我们可以进行双写绕过
例如:上传shell.php::DATE::DATE
*/
//去除字符串::$DATA
//把$file_ext中的::DATE替换成''
$file_ext = trim($file_ext); //首尾去空
/*
str_ireplace() 函数替换字符串中的一些字符(不区分大小写)。
该函数必须遵循下列规则
如果搜索的字符串是一个数组,那么它将返回一个数组。
如果搜索的字符串是一个数组,那么它将对数组中的每个元素进行查找和替换。
如果同时需要对数组进行查找和替换,并且需要执行替换的元素少于查找到的元素的数量,那么多余元素将用空字符串进行替换
如果是对一个数组进行查找,但只对一个字符串进行替换,那么替代字符串将对所有查找到的值起作用。
*/
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $UPLOAD_ADDR.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
第四关
1.直接上传shell.php发现报错
2.查看提示
3,文件后缀被禁止, 黑名单中限制了很多后缀,但是没有.htaccess,我们可以上传.htaccess文件更改apache配置
htaccess文件是Apache服务器中的一个配置文件,它负责相关目录下的网页配置。通过htaccess文件,可以帮我们实现:网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能。
.htaccess
AddType application/x-httpd-php .txt
这段代码的意思是把.txt文件当作php文件执行
4.上传成功.htaccess文件后,继续上传.txt文件,将shell.php文件改为shell.txt文件并上传
5.利用冰蝎连接
6.代码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第五关
1.上传shell.php提示失败
2.查看源码,发现设置了黑名单,但是没有进行大小写转换
3.大小写绕过,发现array中没有.PHP后缀,利用.PHP绕过
4.上传成功后,注意文件名已被修改
5.源码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第六题
空格绕过
源码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第七题
.绕过
1.bp拦截数据包,将上传文件后缀加"."
2.上传成功
3.源码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第八题
适用于windows操作系统,::$DATA数据流,
源码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
前8题总结
$file_name = trim($_FILES['upload_file']['name']);//去除空字符串
//先去除文件名首尾的空格
$file_name = deldot($file_name);//删除文件名末尾的点、deldot是作者直接写的函数。
//不加此条语句可以通过给文件后缀之后加.进行绕过。例如:shell.php. 主要利用strrchr查找的是最后一次出现的位置,并截取后续字符串
$file_ext = strrchr($file_name, '.');//查找.在$file_name中最后出现的位置,然后截取后续字符,目的为截取文件后缀
$file_ext = strtolower($file_ext); //把文件后缀转换为小写
//不加此条语句可以通过大小写绕过方式进行上传文件
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
//适用于windows操作系统,windows会将$::DATA看作数据流,不在检查文件的后缀
$file_ext = trim($file_ext); //首尾去空
//不加此条语句可以通过后缀夹杂空格的方式进行文件上传,例如:shell.p hp
主要考察这几个函数:trim() strrchr() strtolower() str_ireplace()
文件上传的几种方法,1.前端绕过,2.后端MIME类型修改(content-type),3.php1,php3绕过和针对windows的双写::DATA绕过,4. .htaccess绕过,5.对于缺少将文件后缀转化为小写(strtolower)的可以使用大小写绕过,6.空格绕过,给文件后缀加空格,进行绕过,7.点绕过,给后缀加.8,::DATA绕过,9.点空格点绕过,10.双写后缀绕过
第九题
点空格点桡过
例如:eval.php.
源码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = '此文件不允许上传';
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第十题
双写后缀
例如:eval.pphphp
源码展示
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
//把文件名中含有的$deny_ext的字符替换为空,只能替换一次
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
第11题
get方式上传save_path 直接拼接%00 ,url会直接认为结束,实行00截断
00截断
php版本小于5.3.4,且php.ini配置文件中,magic_quotes_gpc设置为Off
源码展示
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
//拼接上传路径 save_path替换为./upload/eval.php%00后,url不在向后读取
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = '上传失败!';
}
}
else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
第12题
post方式上传save_path,改字符16进制为00,拼接在eval.php后边
00截断
第13题
图片马合成
注:这里111.jpg写在前边,php代码会拼接到图片末尾
代码不可写成
copy eval.php/b + 111.jpg/a eval111.jpg
虽然依然可以合成图片马,但是因为 代码中对文件读取头两个字节,并以此判断文件类型 ,所以不可逆
这一关是上传一个图片马,根据源码可以看出是对文件的幻数进行检查,文件幻数:在特定文件格式中加入固定数值和固定字符串,然后便可以通过检查文件是否包含这些数据来快速地识别文件格式。
例:
本关是直接取的前两个字节,然后拼成数字进行比较的,比如jpg格式的,FF是255,D8是216,那拼接出来的数字就是255216。可以通过在图片后面附加php的代码来制作图片马,由于本关的限制比较少,也可以直接用bp截断后,然后在文件头加上jpg的文件幻数
手动在源码中加入文件包含脚本,验证图片马上传成功
在该位置加入代码,方便进行文件包含测试。
直接包含图片马文件,此路径是作者路径,仅为演示操作,小伙伴可改为自己的路径进行测试。
http://localhost:8080/upload-labs/index.php?page=../../upload/eval111.jpg
源码展示
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); //只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
//unpack() 函数从二进制字符串对数据进行解包。unpack(格式,二进制数据)
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
//intval() 函数用于获取变量的整数值。
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = "文件未知,上传失败!";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = "上传失败";
}
}
}
?>
unpack格式规定
a - NUL-padded string
A - SPACE-padded string
h - Hex string, low nibble first
H - Hex string, high nibble first
c - signed char
C - unsigned char
s - signed short (always 16 bit, machine byte order)
S - unsigned short (always 16 bit, machine byte order)
n - unsigned short (always 16 bit, big endian byte order)
v - unsigned short (always 16 bit, little endian byte order)
i - signed integer (machine dependent size and byte order)
I - unsigned integer (machine dependent size and byte order)
l - signed long (always 32 bit, machine byte order)
L - unsigned long (always 32 bit, machine byte order)
N - unsigned long (always 32 bit, big endian byte order)
V - unsigned long (always 32 bit, little endian byte order)
f - float (machine dependent size and representation)
d - double (machine dependent size and representation)
x - NUL byte
X - Back up one byte
@ - NUL-fill to absolute position
第14题
制作图片马
copy 1.jpg/b + 2.php/a 3.jpg
文件包含代码如上题
代码展示
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
//getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息。
$ext = image_type_to_extension($info[2]);
//image_type_to_extension — 根据指定的图像类型返回对应的后缀名。
if(stripos($types,$ext)){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = "文件未知,上传失败!";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = "上传失败";
}
}
}