开始前的小准备

upload-labs靶场 是PHP环境运行的,所以我准备了一个PHP脚本和一张图片 图片好准备,PHP脚本如果不想写的话可以用我的这个获取当前时间的PHP脚本

<?php

header("content-type:text/html;charset=utf-8");

date_default_timezone_set("PRC");//设置时区

echo "当前时间为：";

$today = date("Y-m-d D h:i:s A ");

echo $today;

?>

图片默认不清楚放大看!!!

Pass-06

$is_upload = false;
$msg = null;
if (isset($_POST[submit])) {
          
   
    if (file_exists(UPLOAD_PATH)) {
          
   
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES[upload_file][name];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, .);
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace(::$DATA, , $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
          
   
            $temp_file = $_FILES[upload_file][tmp_name];
            $img_path = UPLOAD_PATH./.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
          
   
                $is_upload = true;
            } else {
          
   
                $msg = 上传出错！;
            }
        } else {
          
   
            $msg = 此文件不允许上传;
        }
    } else {
          
   
        $msg = UPLOAD_PATH . 文件夹不存在,请手工创建！;
    }
}

看到提示和代码可以得到已经把文件扩展名转换了小写,也就是的方法已经行不通了

通关过程

仔细看代码可以看出它没有将扩展名去空格,我感觉这个考的是 扩展名空格 这里我分两种情况: 一:可以直接在扩展名后可以加上空格的 二:无法直接在扩展名后面加上空格的

可以直接在扩展名后可以加上空格的

我用的KaliLinux系统我可以直接在扩展名后面加上空格

无法直接在扩展名后面加上空格的

一般Windows系统你在扩展名后面是无法直接加上空格的,系统会直接将空格去掉,这个时候就可以使用 BurpSuite工具来更改了

通关完成!