点击第十关,并点击选择显示源码:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
分析代码,我们可以看到题目对我们上传文件的文件名 $_FILES['upload_file']['name'] 使用trim()去空格、str_ireplace去除黑名单中的字符串。如,deny中包含了php,这意味着当我们提交文件的文件名中包括php字符,php将会被删除。
123.php ======> 123 ,然后上传
刚刚成功上传了info.php文件,在复制其链接地址浏览的时候发现其php后缀被删除
同时,str_ireplace函数不区分大小写,使用大小写绕过显然也不行。那么我们可以考虑在php后缀名中插入php从而绕过替换:
可以看到,当php被替换后,文件中还剩下一个php后缀名。
打开burpsuite监听,然后上传文件,在获取的请求头中将文件后缀名改为pphphp,然后forwad
右键单击赋值图片地址链接,然后在浏览器访问,成功获取服务器的php信息: