知识点:
php 服务器可以把其他后缀的文件解析后可作为代码运行。
".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini
1、通过源码分析前端允许.png .jpg .gif文件上传,文件上传后重置了文件名称
2、抓取接口修改文件后缀未.php提示 badfile,代码中对文件后缀做了校验
3、一次尝试其他类型的文件,其中.htaccess .ini .phtml 等文件都可以上传
4、上传一句话木马,使用antSword连接,虚拟终端 ,返回到根目录获取flag