一.前言

? upload-labs-master是文件上傳靶場，里面目前總共有19關(guān)，github地址https://github.com/c0ny1/upload-labs，今天要說的是這個靶場的第七關(guān)的解法

二.正文

先看下第七關(guān)長什么樣

和其他幾關(guān)一樣，咱們先直接看下源碼吧

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上傳出錯！';}} else {$msg = '此文件類型不允許上傳！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創(chuàng)建！';} }

說一下上面的代碼，雖然php不怎么會但是作者已經(jīng)把改寫的注釋已經(jīng)寫上了，所以我就照著作者的注釋說一下

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
#上面這個就是傳說中的黑名單了，只要上傳的文件的后綴名在這個里邊，都會上傳不成功，當然繞過方法也是有的 $file_ext = strrchr($file_name, '.');
#這個需要解釋下了，strrchr的作用先說下，strrchr() 函數(shù)查找字符在指定字符串中從后面開始的第一次出現(xiàn)的位置，如果成功，則返回從該位置到字符串結(jié)尾的所有字符，如果失敗，則返回 false。與之相對應(yīng)的是strstr()函數(shù)，它查找字符串中首次出現(xiàn)指定字符的位置
舉個栗子：

<?php
echo strrchr( '123456789.xls' , '.' ); //程序從后面開始查找 '.' 的位置，并返回從 '.' 開始到字符串結(jié)尾的所有字符 程序的輸出結(jié)果是：.xls ?> $file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫，比如你后綴寫成Php，想用大小寫繞過的時候就不行了，這段代碼將所有的大寫轉(zhuǎn)換成小寫 $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA ? $file_ext = trim($file_ext); //首尾去空，將你后綴名里的前后空格都去掉

看看上面的代碼都限制了多少吧，大小寫，加空格，加字符串，黑名單，好多限制。。。。。

這個時候可以采用一種方法來繞過，因為靶場是搭建在windows上的，所以windows有一個特性，windows系統(tǒng)自動去掉不符合規(guī)則符號后面的內(nèi)容，什么意思呢？舉個栗子

比如你新建了一個1.txt文件，然后你將名稱改為1.txt.試試，雖然會有下面的警告，但是windows還是會默認去掉后面的.，名字還是變成了1.txt

這個時候我們就可以利用.來繞過限制了，因為strrchr函數(shù)會將上傳的文件名后綴處理為.php.，當上傳到win機器上時又會將后面的.去掉，然后后綴就又會被還原成.php，這樣就可以執(zhí)行了，下面演示一下

首先上傳1.php文件并抓包，在burp修改文件后綴名為.php.

拿c刀連接下試試

連接成功，我們上傳的webshell已經(jīng)成功連接上了

?

轉(zhuǎn)載于:https://www.cnblogs.com/Id3al/p/9838584.html

總結(jié)

以上是生活随笔為你收集整理的upload-labs-master文件上传靶场第七关详解的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。