4.黑名单绕过(.htaccess方法)
源码一打开,遇到这样的黑名单是不是看的头皮发麻,这么多后缀都禁用。
.htaccess可以启用或禁用apache的功能,利用这个特点,我们可以使用该文件来禁用上述黑名单功能,从而上传**文件。
简单思路:先上传.htaccess文件,禁用掉某一功能后,再上传文件。
以下是.htaccess文件的代码:要上传什么文件就在后面写什么文件
<FilesMatch "123.jpg">
SetHandler application/x-httpd-php
</FilesMatch>123.jpg的文件可以简单写为:
<?php
phpinfo();
?>上传成功后复制图片地址,访问如图:
5.大写绕过
多数文件后缀都被限制,甚至.htaccess也被限制,我们可以找找文件名处理的一些办法,与第四点的源码对比,我们可以发现,其缺少对文件转为小写的操作,于是可以通过大写后缀来绕过文件后缀限制。
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空简单思路:开启BP,上传info.php,BP拦截成功后,将info.php改为info.PHP,如图:
复制图像链接访问如图:即上传成功。
