upload-labs pass-11

最新推荐文章于 2024-07-17 23:48:55 发布

weixin_50339082

最新推荐文章于 2024-07-17 23:48:55 发布

阅读量62

点赞数

分类专栏： upload-labs 文章标签：安全 php windows apache firefox

本文链接：https://blog.csdn.net/weixin_50339082/article/details/118180610

版权

upload-labs 专栏收录该内容

13 篇文章 0 订阅

订阅专栏

upload-labs pass-11

Pass-11

先看一下源码（黑名单绕过–双写绕过）：

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

上传402.php文件成功，但文件不能执行，并且发现文件后缀不见了。
开启burpsuit抓包，在文件名后缀增加一个php，不过要注意插入的位置，点击forward，回到浏览器发现上传成功。

weixin_50339082

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
2
评论
upload-labs pass-11

upload-labs pass-11Pass-11先看一下源码（黑名单绕过–双写绕过）：$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","
复制链接

扫一扫