当前位置:网站首页>[try to hack] upload labs (temporarily write to 12)
[try to hack] upload labs (temporarily write to 12)
2022-06-13 04:37:00 【Happy star】
Blog home page : Happy star The blog home page of
Series column :Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time :2022 year 6 month 12 Japan
The author's level is very limited , If an error is found , Please let me know , thank !
Navigation assistant
- Pass-01 JS Detection bypass
- Pass-02 MIME Verify bypass (Content-Type)
- Pass-03 Filtering is not strict
- Pass-04 .htaccess Bypass
- Pass-05 Case around
- Pass-06 Space around
- Pass-07 Point around
- Pass-08 ::$DATA Bypass
- Pass-09 Dot and space to bypass
- Pass-10 Double writing bypasses
- Pass-11 %00 Bypass
- Pass-12 00 Bypass
- Pass-13 Header bypass
- Pass-14 Bypass
- Pass-15 Bypass
- Pass-16 Bypass
- Pass-17 Bypass
- Pass-18 Bypass
- Pass-19 Bypass
Pass-01 JS Detection bypass
Usually, the upload page contains special detection files to upload JavaScript Code , The most common is to check whether the extension is legal
function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert(" Please select the file to upload !");
return false;
}
// Define the types of files allowed to be uploaded
var allow_ext = ".jpg|.png|.gif";
// Extract the type of uploaded file
var ext_name = file.substring(file.lastIndexOf("."));
// Determine whether the type of uploaded file is allowed to be uploaded
if (allow_ext.indexOf(ext_name + "|") == -1) {
var errMsg = " The file is not allowed to upload , Please upload " + allow_ext + " Files of type , The current file type is :" + ext_name;
alert(errMsg);
return false;
}
}
Determine the method of this kind of detection : Select a file upload type that prohibits uploading , Click the OK button , The browser immediately pop-up prompt forbids uploading , Generally, it can be concluded that it is a client JavaScript testing
Bypass method :
1、 Disable front end js
Google browser -> Set up -> Security and privacy settings -> Website setup ->javascript
2、 Change the type of malicious code file that needs to be uploaded to the type that allows uploading , For example, will shell.php Change it to shell.jpg Upload , To configure Burp Suite The agent captures packets , Then the file name is overwritten shell.php
3、 Upload shell.jpg.php, Maybe when the front-end program checks the suffix , Check from the front .
Pass-02 MIME Verify bypass (Content-Type)
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' Incorrect file type , Please upload again !';
}
} else {
$msg = $UPLOAD_ADDR.' Folder does not exist , Please create... By hand !';
}
}
No suffix detection , Upload shell.php
Pass-03 Filtering is not strict
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Close out and leave it empty
if(!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' Upload is not allowed .asp,.aspx,.php,.jsp Suffix file !';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
Some commonly used executable file script suffixes :
・ php , php2 , php3 , php5 , phtml
・ asp , cer , asa , cdx
・ aspx , ascx , ashx・ jsp , jspx
・py
Whether to resolve or not depends on the type set in the configuration file
Need modification Apache Of httpd.conf file 
Search for AddType
Add the following AddType application/x-httpd-php .php .phtml .phps .php5 .pht
take shell.php Change it to shell.php3 upload
Pass-04 .htaccess Bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Close out and leave it empty
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload !';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
.htaccess file ( perhaps ” Distributed profile ”) Provides a way to change the configuration for the directory , namely , In a particular Place a file containing one or more instructions in the document directory , To apply to this directory and all its subdirectories . So a special Under the fixed directory .htaccess The instructions in the file may overwrite the instructions in its parent directory .htaccess Instruction in file , That is, the instructions in the subdirectory will overwrite the instructions in the parent directory or the main configuration file
Let's create a .htaccess file , The contents are as follows , Upload it
<FilesMatch "shell.png">
SetHandler application/x-httpd-php
</FilesMatch>
It means if there is one in the file shell.png The file of , He will be interpreted as .php
take shell.php Change it to shell.png, Upload directly
Pass-05 Case around
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
take shell.php Change it to shell.PHP Upload directly
Pass-06 Space around
windows Wait for the system , After the file is named by suffixes plus spaces, spaces are automatically deleted by default
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
take shell.php Change it to shell.php Space
Add a space
Cannot be modified directly , It needs to be modified 
Pass-07 Point around
The same principle as space bypass , The main reason is windows The system deletes the file suffix by default . And Spaces
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
Also add some directly , It can't be added , Need to grab bags 
Pass-08 ::$DATA Bypass
::$DATA Data flow , The default data stream has no name . have access to FindFirstStreamW and FindNextStreamW Function to enumerate data streams .
Yes NTFS For a file in the format , Contains at least one stream , namely data flow ( Its stream type by $DATA),data Stream is the mainstream of file , default data Liuqi stream name It's empty . The default is a file. If a stream is specified , And the stream does not stream type It will be automatically added during storage $DATA. For example, the example seen above myfile.txt:stream1:$DATA When stored, it is actually for myfile.txt:stream1, But in the query results, you need to remove :$DATA, Otherwise, parameter errors will occur , This is notepad Can't support the flow well .
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
utilize windows System NTFS features ,burpsuite Grab the bag , Change the suffix to php::$DATA
Pass-09 Dot and space to bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
if (!in_array($file_ext, $deny_ext)) {
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
$img_path = $UPLOAD_ADDR . '/' . $file_name;
$is_upload = true;
}
} else {
$msg = ' This file is not allowed to upload ';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
It first deletes the dot after the suffix , Then delete the space .
take shell.php Change it to shell.php. Space .
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);// Delete the point at the end of the filename
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // Convert to lowercase
$file_ext = str_ireplace('::$DATA', '', $file_ext);// Remove strings ::$DATA
$file_ext = trim($file_ext); // Head to tail
It becomes shell.php.
So successfully bypass
also windows Feature automatically removes points
Grab the bag 
Pass-10 Double writing bypasses
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $file_name)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
$is_upload = true;
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
}
modify shell.php by shell.pphphp
Upload directly
Pass-11 %00 Bypass
Read the source code and find , Is to change the save name of the file ( Change to random number ), The purpose is to let us not know the file name , So you can't access
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = ' Upload failed !';
}
}
else{
$msg = " Only upload is allowed .jpg|.png|.gif Type file !";
}
}
Upload shell.php Try to grab a bag 
Found file save path
We will shell.php Change it to shell.png Bypass suffix judgment , Then change the file saving path to ../upload/shell.php%00
Use %00 You can truncate the following random numbers 
It will become shell.php%00/878179172.png
(878179172 Is a random number )
Warning : This is not a legal path
Upload failed 
But the general idea is like this
Pass-12 00 Bypass
The code is the same as the previous question
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
else{
$msg = " Only upload is allowed .jpg|.png|.gif Type file !";
}
}
take shell.php Change it to shell.png, Grab and upload 
I found that this time save_path No longer url in (get The ginseng ) 了 , But in post Parameters in .
post Parameters in %00 Will be considered a string , So we can't just add ( But it still works 00 truncation )
Bypass method :
First the save_path Change it to ../upload/shell.php+
The plus sign is used for positioning and placeholder 
Switch to hex, find 
The plus sign is 2b
Change it to 00 It can be truncated
Pass-13 Header bypass
function getReailFileType($filename){
$file = fopen($filename, "rb");
$bin = fread($file, 2); // read-only 2 byte
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'].$strInfo['chars2']);
$fileType = '';
switch($typeCode){
case 255216:
$fileType = 'jpg';
break;
case 13780:
$fileType = 'png';
break;
case 7173:
$fileType = 'gif';
break;
default:
$fileType = 'unknown';
}
return $fileType;
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_type = getReailFileType($temp_file);
if($file_type == 'unknown'){
$msg = " File unknown , Upload failed !";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$file_type;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
Pass-14 Bypass
function isImage($filename){
$types = '.jpeg|.png|.gif';
if(file_exists($filename)){
$info = getimagesize($filename);
$ext = image_type_to_extension($info[2]);
if(stripos($types,$ext)){
return $ext;
}else{
return false;
}
}else{
return false;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = " File unknown , Upload failed !";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
}
getimagesize() Can be jpg,gif Wait for the size of the picture type and return the size , This function is also used to determine the image type .
Pass-15 Bypass
function isImage($filename){
// Need to open php_exif modular
$image_type = exif_imagetype($filename);
switch ($image_type) {
case IMAGETYPE_GIF:
return "gif";
break;
case IMAGETYPE_JPEG:
return "jpg";
break;
case IMAGETYPE_PNG:
return "png";
break;
default:
return false;
break;
}
}
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$temp_file = $_FILES['upload_file']['tmp_name'];
$res = isImage($temp_file);
if(!$res){
$msg = " File unknown , Upload failed !";
}else{
$img_path = $UPLOAD_ADDR."/".rand(10, 99).date("YmdHis").".".$res;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
}
else{
$msg = " Upload failed ";
}
}
}
exif_imagetype() Function to get the picture type
Pass-16 Bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){
// Get the basic information of the uploaded file , file name , type , size , Temporary file path
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=$UPLOAD_ADDR.basename($filename);
// Get the extension of the uploaded file
$fileext= substr(strrchr($filename,"."),1);
// Judge file suffix and type , Upload only when it is legal
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path))
{
// Use the uploaded image to generate a new image
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = " The file is not jpg Format picture !";
}else{
// Assign a file name to the new image
srand(time());
$newfilename = strval(rand()).".jpg";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagejpeg($im,$newimagepath);
// Show the second rendered image ( Use new images generated by users uploading images )
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = " Upload failed !";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path))
{
// Use the uploaded image to generate a new image
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = " The file is not png Format picture !";
}else{
// Assign a file name to the new image
srand(time());
$newfilename = strval(rand()).".png";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagepng($im,$newimagepath);
// Show the second rendered image ( Use new images generated by users uploading images )
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = " Upload failed !";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path))
{
// Use the uploaded image to generate a new image
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = " The file is not gif Format picture !";
}else{
// Assign a file name to the new image
srand(time());
$newfilename = strval(rand()).".gif";
$newimagepath = $UPLOAD_ADDR.$newfilename;
imagegif($im,$newimagepath);
// Show the second rendered image ( Use new images generated by users uploading images )
$img_path = $UPLOAD_ADDR.$newfilename;
unlink($target_path);
$is_upload = true;
}
}
else
{
$msg = " Upload failed !";
}
}else{
$msg = " Only upload suffixes are allowed .jpg|.png|.gif The picture file of !";
}
}
Pass-17 Bypass
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = $UPLOAD_ADDR . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = $UPLOAD_ADDR . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
unlink($upload_file);
$is_upload = true;
}else{
$msg = " Only upload is allowed .jpg|.png|.gif Type file !";
unlink($upload_file);
}
}else{
$msg = ' Upload failed !';
}
}
Pass-18 Bypass
Pass-19 Bypass
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists($UPLOAD_ADDR)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$img_path = $UPLOAD_ADDR . '/' .$file_name;
if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $img_path)) {
$is_upload = true;
}else{
$msg = ' Upload failed !';
}
}else{
$msg = ' Do not save as this type of file !';
}
} else {
$msg = $UPLOAD_ADDR . ' Folder does not exist , Please create... By hand !';
}
边栏推荐
- EMC rectification outline
- Latex operation
- How to implement a custom jdbc driver in only four steps?
- 120. triangle minimum path sum - Dynamic Planning
- Message scrolling JS implementation
- 一致性哈希的简单认识
- 前几年的互联网人vs现在的互联网人
- CreateAnonymousThreadX给匿名线程传递参数
- General communication protocol for industrial Internet
- 个人总结的MVP框架
猜你喜欢
Ultra quicksort reverse sequence pair
Redis
Small program input element moving up
2022 ICLR | CONTRASTIVE LEARNING OF IMAGE- AND STRUCTURE BASED REPRESENTATIONS IN DRUG DISCOVERY
A simple understanding of consistent hash
一款开源的Markdown转富文本编辑器的实现原理剖析
Sword finger offer 56 - I. number of occurrences in the array
Li Kou brush question 338 Bit count
2019 Blue Bridge Cup
Day 007: go language string
随机推荐
Implementation of article list function on PHP 18 home page
Clear timer failure
使用Service Worker优选请求资源 - 持续更新
Your one-on-one meetings are inefficient. You can do this!
Collection of wrong questions in soft test -- morning questions in the first half of 2010
Vercel 使用 HTTP 缓存
Small program imitating Taobao Jiugong grid sliding effect
A simple understanding of consistent hash
Tita绩效宝:远程一对一面谈的问题
This Sedata uses multiple methods to dynamically modify objects and values in arrays. Object calculation properties
php 18 首页的文章列表功能实现
H5 the blue background color appears when clicking the picture
2022 ICML | Pocket2Mol: Efficient Molecular Sampling Based on 3D Protein Pockets
Redis master-slave replication, sentinel mode, cluster
PAT 1054 The Dominant Color
Analysis of the implementation principle of an open source markdown to rich text editor
2022年建筑架子工(建筑特殊工种)特种作业证考试题库及在线模拟考试
SEO specification
Time format method on the official demo of uniapp
你的一对一会议效率低下,你可以这么做!