文件上传漏洞的前端过滤,对文件名检验
function check(){
upfile = document.getElementById("upfile");
submit = document.getElementById("submit");
name = upfile.value;
ext = name.replace(/^.+\./,'');
if(['jpg','png'].contains(ext)){
submit.disabled = false;
}else{
submit.disabled = true;
alert('请选择一张图片文件上传!');
}
}
###思路
将一句话木马的后缀名改成.jpg,用burp抓包,改成文件后缀名为.php,再用中国菜刀去连接它