Upload-labs文件上传漏洞(双写绕过)——Pass10

本是古典 何须时尚 2023-03-02 07:37 15阅读 0赞

0×00 题目概述

20200728102322812.png

所以说是双写吗?

0×01 源代码

  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4.     if (file_exists(UPLOAD_PATH)) {
  5.         $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
  7.         $file_name = trim($_FILES['upload_file']['name']);
  8.         $file_name = str_ireplace($deny_ext,"", $file_name);
  9.         $temp_file = $_FILES['upload_file']['tmp_name'];
  10.         $img_path = UPLOAD_PATH.'/'.$file_name;        
  11.         if (move_uploaded_file($temp_file, $img_path)) {
  12.             $is_upload = true;
  13.         } else {
  14.             $msg = '上传出错!';
  15.         }
  16.     } else {
  17.         $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  18.     }
  19. }

使用的是处理过后的文件名,应该只过滤一次吧

尝试一下

0×02 解题步骤

尝试上传phpinfo.phphp

然后很惨烈上传成了这样

202007281040449.png

所以首先文件名不要带php,然后双写应该写成phpphp.

2020072810475829.png

然后后缀就没了

那就再想想别的 .pphphp

终于行了

20200728105302646.png

发表评论

表情:
评论列表 (有 0 条评论,15人围观)

还没有评论,来说两句吧...

相关阅读