upload-labs_pass20-move_uploaded_file函数特性
生活随笔
收集整理的這篇文章主要介紹了
upload-labs_pass20-move_uploaded_file函数特性
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
pass20-提示和源碼分析
提示:
源碼:
$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = $_POST['save_name'];$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);if(!in_array($file_ext,$deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' .$file_name;if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true;}else{$msg = '上傳出錯(cuò)!';}}else{$msg = '禁止保存為該類型文件!';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建!';} }首先有黑名單:
"php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess"從POST中的save_name變量獲取文件名,而且這個(gè)變量是可以編輯的:
回想到某一關(guān):如果save_path是可以修改的話,是可以更改路徑的。pass12-pass13
這兩關(guān)就是提到的利用文件名截?cái)?/strong>的方法繞過(guò)的例子
回到源代碼,save_name是從前端的表單框中拿到的 ,存儲(chǔ)在了$file_name中,
然后通過(guò)
取到擴(kuò)展名。
再接著,if條件語(yǔ)句看的是擴(kuò)展名是不是在黑名單里面。
然后保存到指定路徑。
pass20-繞過(guò)思路
利用move_uploaded_file()函數(shù)特性
在表單中寫(xiě)的是upload-19.jpg/. 會(huì)被認(rèn)為是upload-19.jpg
這時(shí)候就無(wú)法命中黑名單了。
所以上傳一句話木馬文件shell.php,指定保存名稱就是
upload-19.shell/.
上傳成功:
嘗試連接webshell
20關(guān)成功。
歡迎關(guān)注公眾號(hào)“小東方不敗”!歡迎交流!
總結(jié)
以上是生活随笔為你收集整理的upload-labs_pass20-move_uploaded_file函数特性的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: c# 科学计数法值转换成正常值,返回字符
- 下一篇: upload-labs_pass21_C