登录后更精彩...O(∩_∩)O...
您需要 登录 才可以下载或查看,没有账号?立即注册
×
BUUCTF靶场14 --[ACTF2020 新生赛]Upload
考点:本地js+服务端后缀类型校验通过源码发现,类型校验在客户端js里面。
[HTML] 纯文本查看 复制代码 <form enctype="multipart/form-data" method="post"> 嘿伙计,你发现它了!
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="upload"/>
</form>
[JavaScript] 纯文本查看 复制代码 function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("请选择要上传的文件!");
return false;
}
//定义允许上传的文件类型
var allow_ext = ".jpg|.png|.gif";
//提取上传文件的类型
var ext_name = file.substring(file.lastIndexOf("."));
//判断上传文件类型是否允许上传
if (allow_ext.indexOf(ext_name) == -1) {
var errMsg = "该文件不允许上传,请上传jpg、png、gif结尾的图片噢!";
alert(errMsg);
return false;
}
}
本地js
直接禁掉js即可,上传1.php
nonono~ Bad file!
后缀
php改后缀为phtml
Upload Success! Look here~ ./uplo4d/b284530b9d2636c66a4e6f32315ccac3.phtml
MIME类型:Content-Type
index.php
[HTML] 纯文本查看 复制代码 <form enctype="multipart/form-data" method="post">
嘿伙计,你发现它了!
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="upload"/>
</form>
[PHP] 纯文本查看 复制代码 <?php
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uplo4d");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(in_array($ext, ['php', 'php3', 'php4', 'php5'])) {
exit('nonono~ Bad file!');
}
$new_file_name = md5($file_name).".".$ext;
$img_path = UPLOAD_PATH . '/' . $new_file_name;
if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = 'Upload Failed!';
}
echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}
?>
| 
发表于 2022-9-1 20:32:13
