upload-pass09

源码截取

if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

比起上面的，都进行了过滤和限制，但是存在逻辑漏洞

当我们构造一个 phpinfo.php. .的文件时

phpinfo.php. .　　--删除文件名末尾的点-->phpinfo.php. 

phpinfo.php. 　　 ------转换为小写---------->phpinfo.php. 

phpinfo.php. 　　 ---去除字符串::$DATA-->phpinfo.php. 

phpinfo.php. 　　 -------首尾去空------------>phpinfo.php.

phpinfo.php.　　  --后缀没有在黑名单中--->成功上传----->解析时默认删除末尾的 . --->最终等价于上传了phpinfo.php文件

访问正常