1、可以查看下源码,从这里可以看到它设置了一个超级长的黑名单。
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
2、这里没有对 .htaccess 文件进行过滤,所以我们这样来做,在本地准备一个 .htaccess 文件。写入以下内容,这个文件的功能就是借助Apache从右到左的解析机制来解析文件。
SetHandler application/x-httpd-php
因此我们只要上传一个类似于aa.php.s34vt4esrg54e.se54vyer5h 后面随意的文件,它都能够当成 aa.php来执行
3、准备好以后上传 .htaccess
4、再上传准备好的php文件,但是需要加一个其他的后缀名,此时可以直接上传
5、访问