#upload-labs
pass 11
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else{
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
查看源代码,发现是白名单机制
$img_path = G E T [ ′ s a v e p a t h ′ ] . " / " . r a n d ( 10 , 99 ) . d a t e ( " Y m d H i s " ) . " . " . _GET['save_path']."/".rand(10, 99).date("YmdHis").".". GET[′savepath′]."/".rand(10,99).date("YmdHis").".".file_ext;
但是$img_path却是用save_path拼接的,于是想到之前一直看到的%00截断
直接上传hack.php
PS:利用%00截断,php版本必须是5.2x的,并且magic_quotes_gpc = Off
pass 12
这题也可以用%00截断,但是这次的save_path是用post方法得到的,所以会比较麻烦
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上传失败";
}
} else {
$msg = "只允许上传.jpg|.png|.gif类型文件!";
}
}
这次需要在二进制中进行修改,因为post不会像get对%00进行自动解码。在0a 0d 前面加上00
先上传hack.php,然后通过抓包工具
成功上传