pass20-提示和源碼分析

提示：

源碼：

$is_upload = false; $msg = null; if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");$file_name = $_POST['save_name'];$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);if(!in_array($file_ext,$deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' .$file_name;if (move_uploaded_file($temp_file, $img_path)) { $is_upload = true;}else{$msg = '上傳出錯！';}}else{$msg = '禁止保存為該類型文件！';}} else {$msg = UPLOAD_PATH . '文件夾不存在,請手工創建！';} }

首先有黑名單：

"php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess"

從POST中的save_name變量獲取文件名，而且這個變量是可以編輯的：

回想到某一關：如果save_path是可以修改的話，是可以更改路徑的。pass12-pass13

這兩關就是提到的利用文件名截斷的方法繞過的例子

回到源代碼，save_name是從前端的表單框中拿到的 ，存儲在了$file_name中，
然后通過

$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

取到擴展名。
再接著，if條件語句看的是擴展名是不是在黑名單里面。
然后保存到指定路徑。

pass20-繞過思路

利用move_uploaded_file()函數特性

在表單中寫的是upload-19.jpg/. 會被認為是upload-19.jpg

這時候就無法命中黑名單了。

所以上傳一句話木馬文件shell.php，指定保存名稱就是
upload-19.shell/.

上傳成功：

嘗試連接webshell

20關成功。

歡迎關注公眾號“小東方不敗”！歡迎交流！

總結

以上是生活随笔為你收集整理的upload-labs_pass20-move_uploaded_file函数特性的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。