靶场搭建

第一关

使用js来检测文件的后缀是否为图片

那么只需要控制台禁用JavaScript即可

第二关

检测了Content-Type:的类型来判断是否为图片
关键代码

if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))

抓包，将Content-Type: 改为 image/jpeg

第三关

关键代码

$deny_ext = array('.asp','.aspx','.php','.jsp');  //后缀黑名单
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');  //搜索 .在字符串中的位置，并返回从该位置到字符串结尾的所有字符(获得后缀名)
/*实际上这是第八九关的，放在第三关这里难度有点高了...
$file_name = deldot($file_name);//删除文件名末尾的点
*$file_ext = strtolower($file_ext); //将后缀名转换为小写
*$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除后缀中的::$DATA
*$file_ext = trim($file_ext); //首尾去除空白字符
*/
if(!in_array($file_ext, $deny_ext)) {
...(略)
}

虽然不允许上传.asp,.aspx,.php,.jsp后缀的文件，但.phtml .phps .pht .php2 .php3等并未过滤(很明显作者也是想让我们用这种方法)

第四关

核心代码

$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);  //获得上传的文件名称
$file_ext = strrchr($file_name, '.');  //搜索 .在字符串中的位置，并返回从该位置到字符串结尾的所有字符(获得后缀名)
if (!in_array($file_ext, $deny_ext)) {    //判断我们获得的后缀在不在黑名单
    if (move_uploaded_file($temp_file, $img_path)) {  //保存文件
}}

重写文件解析规则绕过。上传先上传一个名为.htaccess文件，内容如下：

<FilesMatch "4.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

然后再上传一个4.jpg，访问4.jpg查看解析规则是否生效

第五关

过滤了

.php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"

直接变换大小写

第六关

利用Windows系统的文件名特性。抓包修改文件名在后缀增加空格，写成06.php

第七关

同理利用Windows系统的文件名特性，抓包后后缀加点，改成07.php.

第八关

使用Windows文件流特性绕过，文件名改成8.php::$DATA，上传成功后保存的文件名其实是08.php

第九关

删除了文件末尾的点并去掉了::$DATA,所以末尾得变成9.php. .，这样他删除末尾的点后倒数第二个点还是会加载

$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

第十关

核心代码

$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = str_ireplace($deny_ext,"", $file_name);  //使用正则表达式，去除黑名单中的关键字
...(略)

所以可以像xss一样，双写、拼写、混写啊之类的

十一关

核心代码

$ext_arr = array('jpg','png','gif');  //设置后缀名的白名单数组
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1); //获取上传文件的后缀名
if(in_array($file_ext,$ext_arr)){  //检测上传文件的后缀名是否在白名单中
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;   //接受GET传入sava_path作为图片路径
...(略)

虽然有白名单校验后缀名，但$img_path是接受参数直接拼接的，可以利用%00截断绕过。