upload-pass10

源码截取

if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;       

上传的时候会检测大小写，并且通过黑名单检测，删除文件名前后的空格以及 . 把array定义的数组中的黑名单字符串都替换为 空格

此时我们可以通过双写后缀来进行绕过

上传phpinfo.php文件-->抓包-->修改文件名-->phpinfo.pphphp-->过滤-->得到-->info.php

 

 上传成功，访问正常

 

 

 

 

上传的文件名也可以改为info.pphpphphphpp等等，只要能绕过检测，上传为php格式文件都可以