靶场代码:
class Challenge {
const UPLOAD_DIRECTORY = './solutions/';
private $file;
private $whitelist;
public function __construct($file) {
$this->file = $file;
$this->whitelist = range(1, 24); //生成包含1-24的数组
}
public function __destruct() {
if (in_array($this->file['name'], $this->whitelist)) { //验证邮箱的名字但是并没有验证上传文件的文件类型
move_uploaded_file(
$this->file['tmp_name'],
self::UPLOAD_DIRECTORY . $this->file['name']
);
}
}
}
$challenge = new Challenge($_FILES['solution']);
该代码在第10行中包含一个任意文件上传