upload-labs靶场-Pass-08关-思路以及过程
- 看不見的法師
- 2025-08-19
- 热度
在开始之前,我们需要做一些准备工作。
upload-labs靶场是在PHP环境下运行的,因此我准备了一个PHP脚本和一张图片。图片很容易准备,如果你不想自己编写PHP脚本,可以使用我提供的这个获取当前时间的PHP脚本。
代码语言:PHP 运行次数:0
注意:图片默认不清晰,请放大查看!
Pass-08
代码:
代码语言:PHP 运行次数:0
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name); // 删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // 转换为小写
$file_ext = trim($file_ext); // 首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}这关之前的方法基本上是行不通的。
通关过程:这一关实际上是利用了Windows系统的一个命名特性。在Windows系统中,如果文件名后面加上"
::$DATA",系统会将
::$DATA之后的数据视为文件流处理,不会检查后缀名,并且保留
::$DATA之前的文件名,其目的是为了绕过后缀名检查。
举个例子:
上传文件名为:
测试.php::$DATA,在Windows系统中会自动去掉末尾的
::$DATA,变成"
测试.php"或者"
xxx.php"。
通关完成!