![](https://img-blog.csdnimg.cn/20201014180756918.png?x-oss-process=image/resize,m_fixed,h_64,w_64)
upload-labs
upload-labs
weixin_50339082
这个作者很懒,什么都没留下…
展开
-
upload-labs pass-14~16
upload-labs pass-14Pass-14先看一下源码(图片马):function getReailFileType($filename){ $file = fopen($filename, "rb"); $bin = fread($file, 2); //只读2字节 fclose($file); $strInfo = @unpack("C2chars", $bin); $typeCode = intval($strInfo['chars1']原创 2021-06-26 17:26:10 · 244 阅读 · 1 评论 -
upload-labs pass-12
upload-labs pass-12Pass-12先看一下源码(白名单验证–GET型0x00截断):$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1原创 2021-06-25 16:42:10 · 332 阅读 · 2 评论 -
upload-labs pass-11
upload-labs pass-11Pass-11先看一下源码(黑名单绕过–双写绕过):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","原创 2021-06-24 10:53:09 · 62 阅读 · 2 评论 -
upload-labs pass-10
upload-labs pass-10Pass-10先看一下源码(黑名单绕过–“. .”):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pH原创 2021-06-24 10:49:32 · 205 阅读 · 0 评论 -
upload-labs pass-09
upload-labs pass-09Pass-09先看一下源码(黑名单绕过–特殊字符::$DATA绕过):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".p原创 2021-06-24 10:39:41 · 122 阅读 · 1 评论 -
upload-labs pass-08
upload-labs pass-08Pass-08先看一下源码(黑名单绕过–点号绕过):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp原创 2021-06-24 10:36:18 · 182 阅读 · 0 评论 -
upload-labs pass-07
upload-labs pass-07Pass-07先看一下源码(黑名单绕过–空格绕过):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp原创 2021-06-24 10:32:55 · 180 阅读 · 0 评论 -
upload-labs pass-06
upload-labs pass-06Pass-06先看一下源码(黑名单绕过–大小写绕过):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pH原创 2021-06-23 09:51:06 · 176 阅读 · 1 评论 -
upload-labs pass-05
upload-labs pass-05Pass-05先看一下源码(黑名单验证-.user.ini):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",原创 2021-06-22 20:19:39 · 70 阅读 · 0 评论 -
upload-labs pass-04
upload-labs pass-04Pass-04先看一下源码(黑名单绕过–.htaccess):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht"原创 2021-06-22 15:36:12 · 124 阅读 · 2 评论 -
upload-labs pass-03
upload-labs pass-03Pass-03先看一下源码(黑名单绕过):$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array('.asp','.aspx','.php','.jsp'); $file_name = trim($_FILES['upload_file']['name']原创 2021-06-22 15:05:22 · 82 阅读 · 0 评论 -
upload-labs pass-02
upload-labs pass-02Pass-02先看一下源码:$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FI原创 2021-06-22 11:11:38 · 49 阅读 · 0 评论 -
upload-labs pass-01
upload-labs第一关level1第一种根据提示这是本地js文件上传绕过,将浏览器中的js检验代码删除。第二种将一句话木马的后缀改成可以上传的文件类型,利用burp suit抓包再改包绕过js。<?phpphpinfo();?>改包过程。上传成功。...原创 2021-06-22 10:39:41 · 58 阅读 · 0 评论