当前位置:网站首页>[try to hack] upload labs (temporarily write to 12)
[try to hack] upload labs (temporarily write to 12)
2022-06-29 16:03:00 【Hua Weiyun】
Blog home page : Happy star The blog home page of
Series column :Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time :2022 year 6 month 12 Japan
The author's level is very limited , If an error is found , Please let me know , thank !
@toc
Pass-01 JS Detection bypass
Usually, the upload page contains special detection files to upload JavaScript Code , The most common is to check whether the extension is legal
function checkFile() { var file = document.getElementsByName('upload_file')[0].value; if (file == null || file == "") { alert(" Please select the file to upload !"); return false; } // Define the types of files allowed to be uploaded var allow_ext = ".jpg|.png|.gif"; // Extract the type of uploaded file var ext_name = file.substring(file.lastIndexOf(".")); // Determine whether the type of uploaded file is allowed to be uploaded if (allow_ext.indexOf(ext_name + "|") == -1) { var errMsg = " The file is not allowed to upload , Please upload " + allow_ext + " Files of type , The current file type is :" + ext_name; alert(errMsg); return false; }}Determine the method of this kind of detection : Select a file upload type that prohibits uploading , Click the OK button , The browser immediately pop-up prompt forbids uploading , Generally, it can be concluded that it is a client JavaScript testing
Bypass method :
1、 Disable front end js
Google browser -> Set up -> Security and privacy settings -> Website setup ->javascript
2、 Change the type of malicious code file that needs to be uploaded to the type that allows uploading , For example, will shell.php Change it to shell.jpg Upload , To configure Burp Suite The agent captures packets , Then the file name is overwritten shell.php
3、 Upload shell.jpg.php, Maybe when the front-end program checks the suffix , Check from the front .
Pass-02 MIME Verify bypass (Content-Type)
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name']; $is_upload = true; } } else { $msg = ' Incorrect file type , Please upload again !'; } } else { $msg = $UPLOAD_ADDR.' Folder does not exist , Please create... By hand !'; }} No suffix detection , Upload shell.php
Pass-03 Filtering is not strict
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array('.asp','.aspx','.php','.jsp'); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);// Delete the point at the end of the filename $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); // Convert to lowercase $file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA $file_ext = trim($file_ext); // Close out and leave it empty if(!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name']; $is_upload = true; } } else { $msg = ' Upload is not allowed .asp,.aspx,.php,.jsp Suffix file !'; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }}Some commonly used executable file script suffixes :
・ php , php2 , php3 , php5 , phtml
・ asp , cer , asa , cdx
・ aspx , ascx , ashx・ jsp , jspx
・py
Whether to resolve or not depends on the type set in the configuration file
Need modification Apache Of httpd.conf file 
Search for AddType
Add the following AddType application/x-httpd-php .php .phtml .phps .php5 .pht
take shell.php Change it to shell.php3 upload
Pass-04 .htaccess Bypass
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);// Delete the point at the end of the filename $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); // Convert to lowercase $file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA $file_ext = trim($file_ext); // Close out and leave it empty if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name']; $is_upload = true; } } else { $msg = ' This file is not allowed to upload !'; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }}.htaccess file ( perhaps ” Distributed profile ”) Provides a way to change the configuration for the directory , namely , In a particular Place a file containing one or more instructions in the document directory , To apply to this directory and all its subdirectories . So a special Under the fixed directory .htaccess The instructions in the file may overwrite the instructions in its parent directory .htaccess Instruction in file , That is, the instructions in the subdirectory will overwrite the instructions in the parent directory or the main configuration file
Let's create a .htaccess file , The contents are as follows , Upload it
<FilesMatch "shell.png">SetHandler application/x-httpd-php</FilesMatch>It means if there is one in the file shell.png The file of , He will be interpreted as .php
take shell.php Change it to shell.png, Upload directly
Pass-05 Case around
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);// Delete the point at the end of the filename $file_ext = strrchr($file_name, '.'); $file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA $file_ext = trim($file_ext); // Head to tail if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = ' This file is not allowed to upload '; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }}take shell.php Change it to shell.PHP Upload directly
Pass-06 Space around
windows Wait for the system , After the file is named by suffixes plus spaces, spaces are automatically deleted by default
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);// Delete the point at the end of the filename $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); // Convert to lowercase $file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = ' This file is not allowed to upload '; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }} take shell.php Change it to shell.php Space
Add a space
Cannot be modified directly , It needs to be modified 
Pass-07 Point around
The same principle as space bypass , The main reason is windows The system deletes the file suffix by default . And Spaces
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); // Convert to lowercase $file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA $file_ext = trim($file_ext); // Head to tail if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = ' This file is not allowed to upload '; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }} Also add some directly , It can't be added , Need to grab bags 
Pass-08 ::$DATA Bypass
::$DATA Data flow , The default data stream has no name . have access to FindFirstStreamW and FindNextStreamW Function to enumerate data streams .
Yes NTFS For a file in the format , Contains at least one stream , namely data flow ( Its stream type by $DATA),data Stream is the mainstream of file , default data Liuqi stream name It's empty . The default is a file. If a stream is specified , And the stream does not stream type It will be automatically added during storage $DATA. For example, the example seen above myfile.txt:stream1:$DATA When stored, it is actually for myfile.txt:stream1, But in the query results, you need to remove :$DATA, Otherwise, parameter errors will occur , This is notepad Can't support the flow well .
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);// Delete the point at the end of the filename $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); // Convert to lowercase $file_ext = trim($file_ext); // Head to tail if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = ' This file is not allowed to upload '; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }} utilize windows System NTFS features ,burpsuite Grab the bag , Change the suffix to php::$DATA
Pass-09 Dot and space to bypass
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);// Delete the point at the end of the filename $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); // Convert to lowercase $file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA $file_ext = trim($file_ext); // Head to tail if (!in_array($file_ext, $deny_ext)) { if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) { $img_path = $UPLOAD_ADDR . '/' . $file_name; $is_upload = true; } } else { $msg = ' This file is not allowed to upload '; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }} It first deletes the dot after the suffix , Then delete the space .
take shell.php Change it to shell.php. Space .
$file_name = trim($_FILES['upload_file']['name']); $file_name = deldot($file_name);// Delete the point at the end of the filename $file_ext = strrchr($file_name, '.'); $file_ext = strtolower($file_ext); // Convert to lowercase $file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA $file_ext = trim($file_ext); // Head to tail It becomes shell.php.
So successfully bypass
also windows Feature automatically removes points
Grab the bag 
Pass-10 Double writing bypasses
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess"); $file_name = trim($_FILES['upload_file']['name']); $file_name = str_ireplace($deny_ext,"", $file_name); if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) { $img_path = $UPLOAD_ADDR . '/' .$file_name; $is_upload = true; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }} modify shell.php by shell.pphphp
Upload directly
Pass-11 %00 Bypass
Read the source code and find , Is to change the save name of the file ( Change to random number ), The purpose is to let us not know the file name , So you can't access
$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); if(in_array($file_ext,$ext_arr)){ $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext; if(move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else{ $msg = ' Upload failed !'; } } else{ $msg = " Only upload is allowed .jpg|.png|.gif Type file !"; }} Upload shell.php Try to grab a bag 
Found file save path
We will shell.php Change it to shell.png Bypass suffix judgment , Then change the file saving path to ../upload/shell.php%00
Use %00 You can truncate the following random numbers 
It will become shell.php%00/878179172.png
(878179172 Is a random number )
Warning : This is not a legal path
Upload failed 
But the general idea is like this
Pass-12 00 Bypass
The code is the same as the previous question
$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); if(in_array($file_ext,$ext_arr)){ $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext; if(move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else{ $msg = " Upload failed "; } } else{ $msg = " Only upload is allowed .jpg|.png|.gif Type file !"; }} take shell.php Change it to shell.png, Grab and upload 
I found that this time save_path No longer url in (get The ginseng ) 了 , But in post Parameters in .
post Parameters in %00 Will be considered a string , So we can't just add ( But it still works 00 truncation )
Bypass method :
First the save_path Change it to ../upload/shell.php+
The plus sign is used for positioning and placeholder 
Switch to hex, find 
The plus sign is 2b
Change it to 00 It can be truncated
Pass-13 Header bypass
function getReailFileType($filename){ $file = fopen($filename, "rb"); $bin = fread($file, 2); // read-only 2 byte fclose($file); $strInfo = @unpack("C2chars", $bin); $typeCode = intval($strInfo['chars1'].$strInfo['chars2']); $fileType = ''; switch($typeCode){ case 255216: $fileType = 'jpg'; break; case 13780: $fileType = 'png'; break; case 7173: $fileType = 'gif'; break; default: $fileType = 'unknown'; } return $fileType;}$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $temp_file = $_FILES['upload_file']['tmp_name']; $file_type = getReailFileType($temp_file); if($file_type == 'unknown'){ $msg = " File unknown , Upload failed !"; }else{ $img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$file_type; if(move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else{ $msg = " Upload failed "; } }Pass-14 Bypass
function isImage($filename){ $types = '.jpeg|.png|.gif'; if(file_exists($filename)){ $info = getimagesize($filename); $ext = image_type_to_extension($info[2]); if(stripos($types,$ext)){ return $ext; }else{ return false; } }else{ return false; }}$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $temp_file = $_FILES['upload_file']['tmp_name']; $res = isImage($temp_file); if(!$res){ $msg = " File unknown , Upload failed !"; }else{ $img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").$res; if(move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else{ $msg = " Upload failed "; } }}getimagesize() Can be jpg,gif Wait for the size of the picture type and return the size , This function is also used to determine the image type .
Pass-15 Bypass
function isImage($filename){ // Need to open php_exif modular $image_type = exif_imagetype($filename); switch ($image_type) { case IMAGETYPE_GIF: return "gif"; break; case IMAGETYPE_JPEG: return "jpg"; break; case IMAGETYPE_PNG: return "png"; break; default: return false; break; }}$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $temp_file = $_FILES['upload_file']['tmp_name']; $res = isImage($temp_file); if(!$res){ $msg = " File unknown , Upload failed !"; }else{ $img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$res; if(move_uploaded_file($temp_file,$img_path)){ $is_upload = true; } else{ $msg = " Upload failed "; } }}exif_imagetype() Function to get the picture type
Pass-16 Bypass
$is_upload = false;$msg = null;if (isset($_POST['submit'])){ // Get the basic information of the uploaded file , file name , type , size , Temporary file path $filename = $_FILES['upload_file']['name']; $filetype = $_FILES['upload_file']['type']; $tmpname = $_FILES['upload_file']['tmp_name']; $target_path=$UPLOAD_ADDR.basename($filename); // Get the extension of the uploaded file $fileext= substr(strrchr($filename,"."),1); // Judge file suffix and type , Upload only when it is legal if(($fileext == "jpg") && ($filetype=="image/jpeg")){ if(move_uploaded_file($tmpname,$target_path)) { // Use the uploaded image to generate a new image $im = imagecreatefromjpeg($target_path); if($im == false){ $msg = " The file is not jpg Format picture !"; }else{ // Assign a file name to the new image srand(time()); $newfilename = strval(rand()).".jpg"; $newimagepath = $UPLOAD_ADDR.$newfilename; imagejpeg($im,$newimagepath); // Show the second rendered image ( Use new images generated by users uploading images ) $img_path = $UPLOAD_ADDR.$newfilename; unlink($target_path); $is_upload = true; } } else { $msg = " Upload failed !"; } }else if(($fileext == "png") && ($filetype=="image/png")){ if(move_uploaded_file($tmpname,$target_path)) { // Use the uploaded image to generate a new image $im = imagecreatefrompng($target_path); if($im == false){ $msg = " The file is not png Format picture !"; }else{ // Assign a file name to the new image srand(time()); $newfilename = strval(rand()).".png"; $newimagepath = $UPLOAD_ADDR.$newfilename; imagepng($im,$newimagepath); // Show the second rendered image ( Use new images generated by users uploading images ) $img_path = $UPLOAD_ADDR.$newfilename; unlink($target_path); $is_upload = true; } } else { $msg = " Upload failed !"; } }else if(($fileext == "gif") && ($filetype=="image/gif")){ if(move_uploaded_file($tmpname,$target_path)) { // Use the uploaded image to generate a new image $im = imagecreatefromgif($target_path); if($im == false){ $msg = " The file is not gif Format picture !"; }else{ // Assign a file name to the new image srand(time()); $newfilename = strval(rand()).".gif"; $newimagepath = $UPLOAD_ADDR.$newfilename; imagegif($im,$newimagepath); // Show the second rendered image ( Use new images generated by users uploading images ) $img_path = $UPLOAD_ADDR.$newfilename; unlink($target_path); $is_upload = true; } } else { $msg = " Upload failed !"; } }else{ $msg = " Only upload suffixes are allowed .jpg|.png|.gif The picture file of !"; }}Pass-17 Bypass
$is_upload = false;$msg = null;if(isset($_POST['submit'])){ $ext_arr = array('jpg','png','gif'); $file_name = $_FILES['upload_file']['name']; $temp_file = $_FILES['upload_file']['tmp_name']; $file_ext = substr($file_name,strrpos($file_name,".")+1); $upload_file = $UPLOAD_ADDR . '/' . $file_name; if(move_uploaded_file($temp_file, $upload_file)){ if(in_array($file_ext,$ext_arr)){ $img_path = $UPLOAD_ADDR . '/'. rand(10, 99).date("YmdHis").".".$file_ext; rename($upload_file, $img_path); unlink($upload_file); $is_upload = true; }else{ $msg = " Only upload is allowed .jpg|.png|.gif Type file !"; unlink($upload_file); } }else{ $msg = ' Upload failed !'; }}Pass-18 Bypass
Pass-19 Bypass
$is_upload = false;$msg = null;if (isset($_POST['submit'])) { if (file_exists($UPLOAD_ADDR)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess"); $file_name = $_POST['save_name']; $file_ext = pathinfo($file_name,PATHINFO_EXTENSION); if(!in_array($file_ext,$deny_ext)) { $img_path = $UPLOAD_ADDR . '/' .$file_name; if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)) { $is_upload = true; }else{ $msg = ' Upload failed !'; } }else{ $msg = ' Do not save as this type of file !'; } } else { $msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !'; }边栏推荐
- Taro 小程序开启wxml代码压缩
- Summary of recent work
- 【云原生】Nacos-TaskManager 任务管理的使用
- ROS2机器人f1tenth之CLI工具基础
- 如何在 WordPress 中创建联系表格?
- 我想知道我在南宁,到哪里开户比较好?另外,手机开户安全么?
- 京东联盟API - 万能转链接口 - 京品库接口 - 接口定制
- 商业智能BI与业务管理决策思维之三:业务质量分析
- How to create a login page in WordPress
- What are the advantages of intelligent chat robots? Senior independent station sellers tell you!
猜你喜欢
MySQL常用语句和命令汇总
Leetcode-234-palindrome linked list
火山引擎入选国内首个《边缘计算产业全景图》
《网络是怎么样连接的》读书笔记 - WEB服务端请求和响应(五)
Stlink troubleshooting
wallys/m.2/Adapter card(one pcie1x to 4 x Mini PCIE)
Google 软件版本经历周期
Basic composition of radar
关于 麒麟系统启动应用报错“undefined symbol: __cxa_throw_bad_array_new_length, version Qt_5“ 的解决方法
Volcano engine was selected into the first "panorama of edge computing industry" in China
随机推荐
Taro2.* 小程序配置分享微信朋友圈
R语言plotly可视化:plotly可视化多个数据集归一化直方图(historgram)、设置不同的直方图使用不同的分箱大小(bin size)、在直方图的底部边缘添加边缘轴须图rug
路由汇总带来的三层环路-解决实验
《网络是怎么样连接的》读书笔记 - 服务器端的局域网中(四)
Introduction to radar antenna
微信公共号开发,发送消息回复文本
华为云AOM 2.0版本发布
《网络是怎么样连接的》读书笔记 - WEB服务端请求和响应(五)
mysql数据库基础:数据类型介绍
C語言大作業——匹配系統
Taro中添加小程序 “lazyCodeLoading“: “requiredComponents“,
教程|fNIRS数据处理工具包Homer2下载与安装
Volcano engine was selected into the first "panorama of edge computing industry" in China
如何修复运行缓慢的 WordPress 网站?
C. Most Similar Words
Mingdeyang xilinx-k7-325t/410t core board data manual
有哪些顶级水平的中国程序员?
小程序判断数据为不为空
LeetCode-64-最小路径和
C language homework - matching system