Pass-10

1.根据题意，本Pass会从文件名中移除.php|.php5|.php4等等大部分常见字符。

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = str_ireplace($deny_ext,"", $file_name);
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = UPLOAD_PATH.'/'.$file_name;        
        if (move_uploaded_file($temp_file, $img_path)) {
            $is_upload = true;
        } else {
            $msg = '上传出错！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

根据代码“ ”得知，此题类型应为双写绕过，是将问题后缀名替换为空，只要不让判定后的文件类型为空即可绕过

 

2.上传文件，通过BP修改文件后缀

 

 3.使用蚁剑进入后台验证，上传成功。

 

 总结：类似本题，在上传文件的后缀名凡是符合黑名单中任意一个后缀都会被替换为空，因此将后缀名改成.pphphp,替换为空后为一句话木马.php文件，成功绕过。