当前位置:网站首页>[try to hack] upload labs (temporarily write to 12)
[try to hack] upload labs (temporarily write to 12)
2022-06-13 04:37:00 【Happy star】
Blog home page : Happy star The blog home page of
Series column :Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time :2022 year 6 month 12 Japan
The author's level is very limited , If an error is found , Please let me know , thank !
Navigation assistant
- Pass-01 JS Detection bypass
- Pass-02 MIME Verify bypass (Content-Type)
- Pass-03 Filtering is not strict
- Pass-04 .htaccess Bypass
- Pass-05 Case around
- Pass-06 Space around
- Pass-07 Point around
- Pass-08 ::$DATA Bypass
- Pass-09 Dot and space to bypass
- Pass-10 Double writing bypasses
- Pass-11 %00 Bypass
- Pass-12 00 Bypass
- Pass-13 Header bypass
- Pass-14 Bypass
- Pass-15 Bypass
- Pass-16 Bypass
- Pass-17 Bypass
- Pass-18 Bypass
- Pass-19 Bypass
Pass-01 JS Detection bypass
Usually, the upload page contains special detection files to upload JavaScript Code , The most common is to check whether the extension is legal
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert(" Please select the file to upload !");
return false;
}
// Define the types of files allowed to be uploaded
var allow_ext = ".jpg|.png|.gif";
// Extract the type of uploaded file
var ext_name = file.substring(file.lastIndexOf("."));
// Determine whether the type of uploaded file is allowed to be uploaded
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = " The file is not allowed to upload , Please upload " + allow_ext + " Files of type , The current file type is :" + ext_name;
alert(errMsg);
return false;
}
}
Determine the method of this kind of detection : Select a file upload type that prohibits uploading , Click the OK button , The browser immediately pop-up prompt forbids uploading , Generally, it can be concluded that it is a client JavaScript testing
Bypass method :
1、 Disable front end js
Google browser -> Set up -> Security and privacy settings -> Website setup ->javascript
2、 Change the type of malicious code file that needs to be uploaded to the type that allows uploading , For example, will shell.php Change it to shell.jpg Upload , To configure Burp Suite The agent captures packets , Then the file name is overwritten shell.php
3、 Upload shell.jpg.php, Maybe when the front-end program checks the suffix , Check from the front .
Pass-02 MIME Verify bypass (Content-Type)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' Incorrect file type , Please upload again !';
}
} else {
$msg = $UPLOAD_ADDR.' Folder does not exist , Please create... By hand !';
}
}
No suffix detection , Upload shell.php
Pass-03 Filtering is not strict
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Close out and leave it empty
if(!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' Upload is not allowed .asp,.aspx,.php,.jsp Suffix file !';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
Some commonly used executable file script suffixes :
・ php , php2 , php3 , php5 , phtml
・ asp , cer , asa , cdx
・ aspx , ascx , ashx・ jsp , jspx
・py
Whether to resolve or not depends on the type set in the configuration file
Need modification Apache Of httpd.conf file 
Search for AddType
Add the following AddType application/x-httpd-php .php .phtml .phps .php5 .pht
take shell.php Change it to shell.php3 upload
Pass-04 .htaccess Bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Close out and leave it empty
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload !';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
.htaccess file ( perhaps ” Distributed profile ”) Provides a way to change the configuration for the directory , namely , In a particular Place a file containing one or more instructions in the document directory , To apply to this directory and all its subdirectories . So a special Under the fixed directory .htaccess The instructions in the file may overwrite the instructions in its parent directory .htaccess Instruction in file , That is, the instructions in the subdirectory will overwrite the instructions in the parent directory or the main configuration file
Let's create a .htaccess file , The contents are as follows , Upload it
<FilesMatch "shell.png">
SetHandler application/x-httpd-php
</FilesMatch>
It means if there is one in the file shell.png The file of , He will be interpreted as .php
take shell.php Change it to shell.png, Upload directly
Pass-05 Case around
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
take shell.php Change it to shell.PHP Upload directly
Pass-06 Space around
windows Wait for the system , After the file is named by suffixes plus spaces, spaces are automatically deleted by default
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
take shell.php Change it to shell.php Space
Add a space
Cannot be modified directly , It needs to be modified 
Pass-07 Point around
The same principle as space bypass , The main reason is windows The system deletes the file suffix by default . And Spaces
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
Also add some directly , It can't be added , Need to grab bags 
Pass-08 ::$DATA Bypass
::$DATA Data flow , The default data stream has no name . have access to FindFirstStreamW and FindNextStreamW Function to enumerate data streams .
Yes NTFS For a file in the format , Contains at least one stream , namely data flow ( Its stream type by $DATA),data Stream is the mainstream of file , default data Liuqi stream name It's empty . The default is a file. If a stream is specified , And the stream does not stream type It will be automatically added during storage $DATA. For example, the example seen above myfile.txt:stream1:$DATA When stored, it is actually for myfile.txt:stream1, But in the query results, you need to remove :$DATA, Otherwise, parameter errors will occur , This is notepad Can't support the flow well .
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
utilize windows System NTFS features ,burpsuite Grab the bag , Change the suffix to php::$DATA
Pass-09 Dot and space to bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
It first deletes the dot after the suffix , Then delete the space .
take shell.php Change it to shell.php. Space .
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
It becomes shell.php.
So successfully bypass
also windows Feature automatically removes points
Grab the bag 
Pass-10 Double writing bypasses
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
modify shell.php by shell.pphphp
Upload directly
Pass-11 %00 Bypass
Read the source code and find , Is to change the save name of the file ( Change to random number ), The purpose is to let us not know the file name , So you can't access
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = ' Upload failed !';
}
}
else{
$msg = " Only upload is allowed .jpg|.png|.gif Type file !";
}
}
Upload shell.php Try to grab a bag 
Found file save path
We will shell.php Change it to shell.png Bypass suffix judgment , Then change the file saving path to ../upload/shell.php%00
Use %00 You can truncate the following random numbers 
It will become shell.php%00/878179172.png
(878179172 Is a random number )
Warning : This is not a legal path
Upload failed 
But the general idea is like this
Pass-12 00 Bypass
The code is the same as the previous question
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
else{
$msg = " Only upload is allowed .jpg|.png|.gif Type file !";
}
}
take shell.php Change it to shell.png, Grab and upload 
I found that this time save_path No longer url in (get The ginseng ) 了 , But in post Parameters in .
post Parameters in %00 Will be considered a string , So we can't just add ( But it still works 00 truncation )
Bypass method :
First the save_path Change it to ../upload/shell.php+
The plus sign is used for positioning and placeholder 
Switch to hex, find 
The plus sign is 2b
Change it to 00 It can be truncated
Pass-13 Header bypass
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); // read-only 2 byte
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = " File unknown , Upload failed !";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
Pass-14 Bypass
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = " File unknown , Upload failed !";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
}
getimagesize() Can be jpg,gif Wait for the size of the picture type and return the size , This function is also used to determine the image type .
Pass-15 Bypass
function isImage($filename){
// Need to open php_exif modular
$image_type = exif_imagetype($filename);
switch ($image_type) {
case IMAGETYPE_GIF:
return "gif";
break;
case IMAGETYPE_JPEG:
return "jpg";
break;
case IMAGETYPE_PNG:
return "png";
break;
default:
return false;
break;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = " File unknown , Upload failed !";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
}
exif_imagetype() Function to get the picture type
Pass-16 Bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// Get the basic information of the uploaded file , file name , type , size , Temporary file path
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=$UPLOAD_ADDR.basename($filename);
// Get the extension of the uploaded file
$fileext= substr(strrchr($filename,"."),1);
// Judge file suffix and type , Upload only when it is legal
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path))
{
// Use the uploaded image to generate a new image
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = " The file is not jpg Format picture !";
}else{
// Assign a file name to the new image
srand(time());
$newfilename = strval(rand()).".jpg";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagejpeg($im,$newimagepath);
// Show the second rendered image ( Use new images generated by users uploading images )
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = " Upload failed !";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path))
{
// Use the uploaded image to generate a new image
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = " The file is not png Format picture !";
}else{
// Assign a file name to the new image
srand(time());
$newfilename = strval(rand()).".png";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagepng($im,$newimagepath);
// Show the second rendered image ( Use new images generated by users uploading images )
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = " Upload failed !";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path))
{
// Use the uploaded image to generate a new image
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = " The file is not gif Format picture !";
}else{
// Assign a file name to the new image
srand(time());
$newfilename = strval(rand()).".gif";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagegif($im,$newimagepath);
// Show the second rendered image ( Use new images generated by users uploading images )
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = " Upload failed !";
}
}else{
$msg = " Only upload suffixes are allowed .jpg|.png|.gif The picture file of !";
}
}
Pass-17 Bypass
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = $UPLOAD_ADDR . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = $UPLOAD_ADDR . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
unlink($upload_file);
$is_upload = true;
}else{
$msg = " Only upload is allowed .jpg|.png|.gif Type file !";
unlink($upload_file);
}
}else{
$msg = ' Upload failed !';
}
}
Pass-18 Bypass
Pass-19 Bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)) {
$is_upload = true;
}else{
$msg = ' Upload failed !';
}
}else{
$msg = ' Do not save as this type of file !';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
边栏推荐
- Blockly learning ----2 Code generation, grid, scaling, events, storage
- php安全开发15用户密码修改模块
- A simple understanding of consistent hash
- PowerShell: because running scripts is prohibited on this system, the solution
- Crawler scrapy framework learning 1
- String full summary
- It's the Caesar code. (*‘▽‘*)*
- 力扣刷题647.回文子串
- Express scaffold creation
- Record a troubleshooting process - video call cannot be picked up
猜你喜欢
力扣刷题647.回文子串
Small program input element moving up
一款開源的Markdown轉富文本編輯器的實現原理剖析
![[automated test] what you need to know about unittest](/img/7c/b3c50dd9808e4b4a44ef4250604cd0.png)
[automated test] what you need to know about unittest
EMC rectification outline
Colab tutorial (super detailed version) and colab pro/pro+ evaluation
用navicat将mysql数据转化为postgresql
CTFSHOW SQL注入篇(211-230)
Day 007: go language string
Sword finger offer 56 - I. number of occurrences in the array
随机推荐
个人总结的MVP框架
php开发博客系统的首页头部功能实现
Third party comment plugin
Createanonymousthreadx passes parameters to anonymous threads
Use go to add massive data to MySQL
一致性哈希的简单认识
Cesium:CesiumLab制作影像切片与切片加载
The data obtained from mongodb query data command is null
PowerShell:因为在此系统上禁止运行脚本,解决方法
PowerDesigner easy to use
MySQL index
Reread the classic: end to end object detection with transformers
Consolidated figures
MySQL索引
php开发16退出模块
Redis data persistence
Li Kou brush question 338 Bit count
【剑指Offer】面试题24.反转链表
Ctfshow SQL injection (231-253)
Test question bank and online simulation test for special operation certificate of construction scaffolder (special type of construction work) in 2022