Pass07 绕过思路:后缀添加“.”绕过。
Pass08 绕过思路:后缀添加“::$DATA绕过”大小写绕过。
Pass10 绕过思路:后缀更改".pphpphp"绕过。
Pass07
7.1 查看源码
没有对后缀名末尾的点进行处理
7.2 后缀添加“.”上传
7.3 上传成功
7.4 工具连接
Pass08
8.1 查看源码
8.2 添加绕过后缀"::$DATA绕过"
8.3 连接
Pass09
9.1 查看源码
可以通过上传"shit.php. ."进行绕过,上传期间,会删除最后一个点,截取“.php. ”,然后删除最后的空格,留下来的就是shit.php. 所以这里如果是Windows环境下,那么就变成了shit.php
9.2 添加后缀“. .”点空格点
9.3 连接
Pass10
这次我们使用phpinfo()来进行测试。
10.1 新建脚本
<?
phpinfo();
?>
更改脚本后缀为“png”
10.2 上传
源码如下,
<li id="show_code">
<h3>代码</h3>
<pre>
<code class="line-numbers language-php">$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
S
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建!';
}
}
</code>
</pre>
</li>
抓包,更改后缀:
10.3 测试脚本
http://localhost/upload-labs/upload/1.php