upload-labs

通过文件上传，我们可以将自己想要的传上去达到目的，而这里都是图片上传，所以我们要通过将文件进行一定伪装
Pass-01
直接将传的文件抓包改后缀
Pass-02
感觉和1类似
Pass-03
此题有黑名单 $deny_ext = array(’.asp’,’.aspx’,’.php’,’.jsp’);
所以选择没有名单中的就行，此题还有 date(“YmdHis”).rand(1000,9999). 此函数随机生成函数名
Pass-04

   $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

那就后缀名为php. .(不在黑名单，删一次点，去一次空格，最后为php）
Pass-05
也用后缀名为php. .就行