Upload-labs文件上传漏洞(双写绕过)——Pass10
0×00 题目概述
所以说是双写吗?
0×01 源代码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
使用的是处理过后的文件名,应该只过滤一次吧
尝试一下
0×02 解题步骤
尝试上传phpinfo.phphp
然后很惨烈上传成了这样
所以首先文件名不要带php,然后双写应该写成phpphp.
然后后缀就没了
那就再想想别的 .pphphp
终于行了
还没有评论,来说两句吧...