Upload-labs文件上传漏洞(双写绕过)——Pass10

本是古典 何须时尚 2023-03-02 07:37 15阅读 0赞

0×00 题目概述

20200728102322812.png

所以说是双写吗?

0×01 源代码

  1. $is_upload = false;
  2. $msg = null;
  3. if (isset($_POST['submit'])) {
  4. if (file_exists(UPLOAD_PATH)) {
  5. $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
  6. $file_name = trim($_FILES['upload_file']['name']);
  7. $file_name = str_ireplace($deny_ext,"", $file_name);
  8. $temp_file = $_FILES['upload_file']['tmp_name'];
  9. $img_path = UPLOAD_PATH.'/'.$file_name;
  10. if (move_uploaded_file($temp_file, $img_path)) {
  11. $is_upload = true;
  12. } else {
  13. $msg = '上传出错!';
  14. }
  15. } else {
  16. $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
  17. }
  18. }

使用的是处理过后的文件名,应该只过滤一次吧

尝试一下

0×02 解题步骤

尝试上传phpinfo.phphp

然后很惨烈上传成了这样

202007281040449.png

所以首先文件名不要带php,然后双写应该写成phpphp.

2020072810475829.png

然后后缀就没了

那就再想想别的 .pphphp

终于行了

20200728105302646.png

发表评论

表情:
评论列表 (有 0 条评论,15人围观)

还没有评论,来说两句吧...

相关阅读