![](https://img-blog.csdnimg.cn/20201014180756925.png?x-oss-process=image/resize,m_fixed,h_64,w_64)
文件上传
~羽~.
只是野蛮生长
展开
-
upload-labs:pass-21
$is_upload = false;$msg = null;if(!empty($_FILES['upload_file'])){ //检查MIME $allow_type = array('image/jpeg','image/png','image/gif'); if(!in_array($_FILES['upload_file']['type'],$allow_type)){ $msg = "禁止上传该类型文件!"; }else{...原创 2021-07-11 21:58:02 · 139 阅读 · 0 评论 -
upload-labs:pass-20
上传文件,加输入文件名。这个很快就想到13题的POST%00截断原创 2021-07-11 21:09:45 · 143 阅读 · 0 评论 -
upload-labs:pass-19
尝试了一下,图片马也是OK的。//index.php$is_upload = false;$msg = null;if (isset($_POST['submit'])){ require_once("./myupload.php"); $imgFileName =time(); $u = new MyUpload($_FILES['upload_file']['name'], $_FILES['upload_file']['tmp_name'], $_FIL...原创 2021-07-11 20:59:30 · 155 阅读 · 0 评论 -
upload-labs:pass-18
告诉我需要代码审计。OK,打开源码看看。$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_name = $_FILES['upload_file']['name']; $temp_file = $_FILES['upload_file']['tmp_name']; $file_ext = sub...原创 2021-07-11 20:45:24 · 166 阅读 · 0 评论 -
upload-labs:pass-17
这是关于二次渲染的题,就是在后端同过二次渲染,将图片中的违法代码删除掉。上传前的图片马:上传后的图片马:把代码过滤掉了。原创 2021-07-11 17:10:50 · 129 阅读 · 0 评论 -
upload-labs:pass-16
在做这一题前,要先打开php.ini文件,将php_exif模块前面的;去掉。然后重启Apache。这样就可以正常上传了。这是 php的内置函数,用于读取一个图像的第一个字节并检查其签名。用图片马依然可以过...原创 2021-07-11 13:05:52 · 167 阅读 · 0 评论 -
upload-labs:pass-15
function isImage($filename){ $types = '.jpeg|.png|.gif'; if(file_exists($filename)){ $info = getimagesize($filename); $ext = image_type_to_extension($info[2]); if(stripos($types,$ext)>=0){ return $ext; ...原创 2021-07-11 12:54:52 · 290 阅读 · 0 评论 -
upload-labs:pass-14
这里是白名单了。而且题目叫传图片马。所以,首先制作图片马。图片马制作方法一图片马制作方法二这里要说清:上传的图片马并不会直接执行,你用菜刀或者蚁剑直接连图片马也是不可以的,因为后端程序不会莫名其妙的把图片解析成二进制码。所以要配合文件包含漏洞,upload-labs提供了这样的漏洞。<?php/*本页面存在文件包含漏洞,用于测试图片马是否能正常运行!*/header("Content-Type:text/html;charset=utf-8");$file...原创 2021-07-11 12:24:01 · 1197 阅读 · 1 评论 -
upload-labs:pass-13
$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); if(in_array($file_ext,$ext_arr)){ ...原创 2021-07-09 20:59:14 · 185 阅读 · 0 评论 -
upload-labs:pass-12
$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); if(in_array($file_ext,$ext_arr)){ ...原创 2021-07-09 20:32:03 · 174 阅读 · 0 评论 -
upload-labs:pass-11
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa...原创 2021-07-09 19:58:41 · 103 阅读 · 0 评论 -
upload-labs:pass-10
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".p...原创 2021-07-09 12:57:01 · 102 阅读 · 0 评论 -
upload-labs:pass-09
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",...原创 2021-07-09 12:41:52 · 108 阅读 · 0 评论 -
upload-labs:pass-08
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",...原创 2021-07-09 12:27:12 · 145 阅读 · 0 评论 -
upload-labs:pass-07
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",...原创 2021-07-09 12:17:52 · 89 阅读 · 0 评论 -
upload-labs:pass-06
第六和第三关对比一下,找不同。$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp...原创 2021-07-09 11:58:12 · 190 阅读 · 0 评论 -
upload-labs:pass-04
后端过滤了很多东西,大小写也过滤了。想到有个.htaccess后缀还可以用。(文件名): .htaccess:(内容) : SetHandler application/x-httpd-php他的作用就是可以把后端的任意后缀名的文件当做PHP文件来执行(虽然理解有点粗暴,不过道理就是这样啊)所以我们就直接传马这个在操作时,会在后端对配置文件有要求,不是特定的环境不能用,算其中的一种绕过姿势了...原创 2021-07-07 19:41:55 · 540 阅读 · 0 评论 -
upload-labs:pass-05
类型上还是一个后端黑名单绕过。这里不一样的是又多加了一个.htaccess,也就是pass-04的方法不能用了。不过还有一个配置文件:.user.ini文件。.user.ini相当于一个用户自定义的php.ini。先上传一个以auto_prepend_file=hacker.gif为内容的.user.ini文件,.user.ini文件里的意思是:所有的php文件都自动包含hacker.gif文件。然后再传一个内容为php一句话的脚本,命名为hacker.gif,这样,hack...原创 2021-07-07 18:01:07 · 214 阅读 · 0 评论 -
upload-labs:pass-03
后端文件后缀被设置了黑名单。很明显PHP是在其中的。所以我们用PHP的别名:.php .phtml .phps .php5 .pht,phtm,php3,php4原创 2021-07-06 13:53:57 · 94 阅读 · 0 评论 -
upload-labs:pass-02
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))这一段代码在后端进行文件类型的判断顺利连接。原创 2021-07-06 12:37:34 · 65 阅读 · 0 评论 -
upload-labs:pass-01
第一题比较简单:只是个前端的js检查。burpsuite抓包,改后缀名就好了。用蚁剑联一下。原创 2021-07-05 21:48:58 · 49 阅读 · 0 评论