BUUCTF Problem. Upload-Labs Record pass-01~pass-10

——

pass-01

Front end validation suffix .
Pass on 1.png Bag grabbing 1.php that will do .

Ant Jianlian ：http://your-ip/upload/1.php

——

pass-02

verification content-type
Take care of the bag ：Content-Type: image/jpeg
Same pass 1.png Bag grabbing 1.php

——

pass-03

Filtration ： A lowercase letter , Delete the end point of the file name , Go through the blanks
The blacklist , Upload is not allowed .asp,.aspx,.php,.jsp Suffix file ！

php3 ,php4 ,pht ,phtml And so on can be uploaded successfully
The uploaded file name is changed to timestamp
utilize ：/upload/202207250818552340.php3, Ant sword connection

Conditions ：
To be in apache Of httpd.conf There is the following configuration code in ：AddType application/x-httpd-php .php .phtml .phps .php5 .pht, If it is not configured, it cannot be parsed php5 Code , When you visit, it is a blank page

——

pass-04

Filtration ： A lowercase letter , Delete the end point of the file name , Go through the blanks , Remove strings ::$DATA（ The files uploaded to the server are in Windows Will be automatically removed from ::$DATA）

I can't use the following question php4 ,pht ,phtml And so on

Through here htaccess file , It can help us realize ： Webpage 301 Redirect 、 Customize 404 Error page 、 Change the file extension 、 allow / Block access to specific users or directories 、 List of prohibited directories 、 Configure default documents and other functions .

Set the current directory. All files use PHP analysis , So no matter what file you upload , As long as the contents of the document comply with PHP Language code specification , Will be treated as PHP perform . If not, an error will be reported .

Two files need to be uploaded
One .htaccess file ：
Content ：

<FilesMatch " The file name of the uploaded picture horse ">
SetHandler application/x-httpd-php
</FilesMatch>

Another picture horse 1.jpg , It is to directly change the suffix of horse passed in the previous questions to .jpg

utilize ：/upload/2.jpg

——

pass-05

Filtration ： Delete the point at the end of the filename , Remove strings ::$DATA, Head to tail , .htaccess Suffix files are also filtered
The uploaded file name will be modified to timestamp
There is no condition for all file names to be lowercase , Case filtering ：.Php

utilize ：/upload/202207251044098514.Php

There is a way to say that the fourth level is used to construct suffixes , But it doesn't seem to work here , For example, upload 5.php. .
The file name becomes xxx. （ no suffix ）

——

pass-06

Filtration ： Delete the point at the end of the filename , Convert to lowercase , Remove strings ::$DATA

Compared with the previous source code , There is no filter of leading and trailing spaces .
So it can be suffixed php Add a space after it “1.php ”
Although it can be uploaded successfully , But it seems that it can't be used , Access has not been php analysis .

——

pass-07

Filtration ： Convert to lowercase , Remove strings ::$DATA, Head to tail
Compare to the front , The dot at the end of the file name was not deleted
Upload 7.php.
utilize ：/upload/7.php.

——

pass-08

Filtration ： Delete the point at the end of the filename , Convert to lowercase , Head to tail
Compared with the previous without removing the string ::$DATA
Upload 8.php::$DATA
Here is linux , No way .

——

pass-09

Filtration ： Delete the point at the end of the filename , Convert to lowercase , Remove strings ::$DATA, Head to tail
Pass it online php. .
But there is a problem with the returned file name

Apache/2.4.38 (Debian) Server
apache Parsing vulnerabilities
Pass on .php.jpg
utilize ：/upload/2.php.jpg

——

pass-10

str_ireplace($deny_ext,"", $file_name);

Function to replace the matched character with null
Double writing bypasses
Upload .pphphp

utilize ：/upload/10.php

——

These are all bypassed by the blacklist , And it is only verified once , So all these levels can be solved with one idea , That's it .php. . Can be like this , But this goes against the mind of the person who created the range , The shooting range is meaningless , Can't play the real role of the shooting range .