本文使用環(huán)境來(lái)自于:https://github.com/c0ny1/upload-labs
客戶端
js檢查
一般都是在網(wǎng)頁(yè)上寫(xiě)一段javascript腳本,校驗(yàn)上傳文件的后綴名,有白名單形式也有黑名單形式。
查看源代碼可以看到有如下代碼對(duì)上傳文件類型進(jìn)行了限制:
<script type="text/javascript"> function checkFile() {
var file = document.getElementsByName('upload_file')[0].value;
if (file == null || file == "") {
alert("請(qǐng)選擇要上傳的文件!");
return false;
}
//定義允許上傳的文件類型
var allow_ext = ".jpg|.png|.gif";
//提取上傳文件的類型
var ext_name = file.substring(file.lastIndexOf("."));
//判斷上傳文件類型是否允許上傳
if (allow_ext.indexOf(ext_name) == -1) {
var errMsg = "該文件不允許上傳咸灿,請(qǐng)上傳" + allow_ext + "類型的文件,當(dāng)前文件類型為:" + ext_name;
alert(errMsg);
return false;
}
} </script>
我們可以看到對(duì)上傳文件類型進(jìn)行了限制。
繞過(guò)方法
- 我們直接刪除代碼中onsubmit事件中關(guān)于文件上傳時(shí)驗(yàn)證上傳文件的相關(guān)代碼即可。
或者可以不加載所有js纬凤,還可以將html源碼copy一份到本地,然后對(duì)相應(yīng)代碼進(jìn)行修改撩嚼,本地提交即可停士。
- burp改包,由于是js驗(yàn)證完丽,我們可以先將文件重命名為js允許的后綴名恋技,在用burp發(fā)送數(shù)據(jù)包時(shí)候改成我們想要的后綴。
即可上傳成功:
服務(wù)端
黑名單
特殊可解析后綴
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫(xiě)
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)逻族!';
}
} else {
$msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件蜻底!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建!';
}
這里做了黑名單處理瓷耙,我們可以通過(guò)特殊可解析后綴進(jìn)行繞過(guò)朱躺。
繞過(guò)方法
之前在http://www.reibang.com/p/1ccbab572974中總結(jié)過(guò),這里不再贅述搁痛,可以使用php3长搀,phtml等繞過(guò)。
上傳.htaccess
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫(xiě)
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)鸡典!';
}
} else {
$msg = '此文件不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建源请!';
}
}
?>
我們發(fā)現(xiàn)黑名單限制了很多后綴名,但是沒(méi)有限制.htaccess
.htaccess文件是Apache服務(wù)器中的一個(gè)配置文件,它負(fù)責(zé)相關(guān)目錄下的網(wǎng)頁(yè)配置.通過(guò)htaccess文件谁尸,可以實(shí)現(xiàn):網(wǎng)頁(yè)301重定向舅踪、自定義404頁(yè)面、改變文件擴(kuò)展名良蛮、允許/阻止特定的用戶或者目錄的訪問(wèn)抽碌、禁止目錄列表、配置默認(rèn)文檔等功能决瞳。
繞過(guò)方法
我們需要上傳一個(gè).htaccess文件货徙,內(nèi)容為:
SetHandler application/x-httpd-php
這樣所有的文件都會(huì)解析為php,接下來(lái)上傳圖片馬即可
后綴大小寫(xiě)繞過(guò)
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '此文件類型不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建惜傲!';
}
}
我們發(fā)現(xiàn)對(duì).htaccess也進(jìn)行了檢測(cè),但是沒(méi)有對(duì)大小寫(xiě)進(jìn)行統(tǒng)一蠢棱。
繞過(guò)方法
后綴名改為PHP即可
空格繞過(guò)
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫(xiě)
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '此文件不允許上傳';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建甩栈!';
}
黑名單沒(méi)有對(duì)文件中的空格進(jìn)行處理泻仙,可在后綴名中加空格繞過(guò)。
繞過(guò)方法
點(diǎn)繞過(guò)
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫(xiě)
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)谤职!';
}
} else {
$msg = '此文件類型不允許上傳饰豺!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建亿鲜!';
}
windows會(huì)對(duì)文件中的點(diǎn)進(jìn)行自動(dòng)去除允蜈,所以可以在文件末尾加點(diǎn)繞過(guò),不再贅述
::$DATA繞過(guò)
同windows特性蒿柳,可在后綴名中加” ::$DATA”繞過(guò)饶套,不再贅述
路徑拼接繞過(guò)
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點(diǎn)
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉(zhuǎn)換為小寫(xiě)
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '此文件類型不允許上傳垒探!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建妓蛮!';
}
}
這里對(duì)文件名進(jìn)行了處理,刪除了文件名末尾的點(diǎn)圾叼,并且把處理過(guò)的文件名拼接到路徑中蛤克。
繞過(guò)方法
這里我們可以構(gòu)造文件名1.PHP. . (點(diǎn)+空格+點(diǎn)),經(jīng)過(guò)處理后夷蚊,文件名變成1.PHP.构挤,即可繞過(guò)。
雙寫(xiě)繞過(guò)
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)惕鼓!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請(qǐng)手工創(chuàng)建筋现!';
}
}
繞過(guò)方法
這里我們可以看到將文件名替換為空,我們可以采用雙寫(xiě)繞過(guò):1.pphphp
白名單
MIME檢查
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)!';
}
} else {
$msg = '文件類型不正確矾飞,請(qǐng)重新上傳一膨!';
}
} else {
$msg = UPLOAD_PATH.'文件夾不存在,請(qǐng)手工創(chuàng)建!';
}
繞過(guò)方法
這里檢查Content-type洒沦,我們burp抓包修改即可繞過(guò):
%00 截?cái)?/h3>
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)豹绪!';
}
} else{
$msg = "只允許上傳.jpg|.png|.gif類型文件!";
}
}
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上傳出錯(cuò)豹绪!';
}
} else{
$msg = "只允許上傳.jpg|.png|.gif類型文件!";
}
}
$img_path直接拼接申眼,因此可以利用%00截?cái)嗬@過(guò)
繞過(guò)方法
然后直接訪問(wèn)/upload/1.php即可
00截?cái)啵╬ost)
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳失敗";
}
} else {
$msg = "只允許上傳.jpg|.png|.gif類型文件森篷!";
}
}
?>
save_path是通過(guò)post傳進(jìn)來(lái)的,還是利用00截?cái)嗖蛐停@次需要在二進(jìn)制中進(jìn)行修改仲智,因?yàn)閜ost不會(huì)像get對(duì)%00進(jìn)行自動(dòng)解碼。
繞過(guò)方法
接下來(lái)訪問(wèn)1.php即可
文件內(nèi)容檢查
文件幻數(shù)檢測(cè)
主要是檢測(cè)文件內(nèi)容開(kāi)始處的文件幻數(shù)姻氨,比如圖片類型的文件幻數(shù)如下钓辆,
要繞過(guò)jpg 文件幻數(shù)檢測(cè)就要在文件開(kāi)頭寫(xiě)上下圖的值:
Value = FF D8 FF E0 00 10 4A 46 49 46
要繞過(guò)gif 文件幻數(shù)檢測(cè)就要在文件開(kāi)頭寫(xiě)上下圖的值
Value = 47 49 46 38 39 61
要繞過(guò)png 文件幻數(shù)檢測(cè)就要在文件開(kāi)頭寫(xiě)上下面的值
Value = 89 50 4E 47
然后在文件幻數(shù)后面加上自己的一句話木馬代碼就行了
文件相關(guān)信息檢測(cè)
圖像文件相關(guān)信息檢測(cè)常用的就是getimagesize()函數(shù)
只需要把文件頭部分偽造好就ok 了,就是在幻數(shù)的基礎(chǔ)上還加了一些文件信息
有點(diǎn)像下面的結(jié)構(gòu)
GIF89a
(...some binary data for image...)
<?php phpinfo(); ?>
(... skipping the rest of binary data ...)
本次環(huán)境中的文件頭檢測(cè)肴焊,getimagesize前联,php_exif都可以用圖片馬繞過(guò):
copy normal.jpg /b + shell.php /a webshell.jpg
文件加載檢測(cè)
一般是調(diào)用API 或函數(shù)去進(jìn)行文件加載測(cè)試,常見(jiàn)的是圖像渲染測(cè)試娶眷,甚至是進(jìn)行二次渲染(過(guò)濾效果幾乎最強(qiáng))似嗤。對(duì)渲染/加載測(cè)試的攻擊方式是代碼注入繞過(guò),對(duì)二次渲染的攻擊方式是攻擊文件加載器自身届宠。
對(duì)渲染/加載測(cè)試攻擊- 代碼注入繞過(guò)
可以用圖像處理軟件對(duì)一張圖片進(jìn)行代碼注入
用winhex 看數(shù)據(jù)可以分析出這類工具的原理是
在不破壞文件本身的渲染情況下找一個(gè)空白區(qū)進(jìn)行填充代碼烁落,一般會(huì)是圖片的注釋區(qū)
對(duì)于渲染測(cè)試基本上都能繞過(guò),畢竟本身的文件結(jié)構(gòu)是完整的
二次渲染
imagecreatefromjpeg二次渲染它相當(dāng)于是把原本屬于圖像數(shù)據(jù)的部分抓了出來(lái)豌注,再用自己的API 或函數(shù)進(jìn)行重新渲染在這個(gè)過(guò)程中非圖像數(shù)據(jù)的部分直接就隔離開(kāi)了
if (isset($_POST['submit'])){
// 獲得上傳文件的基本信息伤塌,文件名,類型轧铁,大小每聪,臨時(shí)文件路徑
$filename = $_FILES['upload_file']['name'];
$filetype = $_FILES['upload_file']['type'];
$tmpname = $_FILES['upload_file']['tmp_name'];
$target_path=UPLOAD_PATH.basename($filename);
// 獲得上傳文件的擴(kuò)展名
$fileext= substr(strrchr($filename,"."),1);
//判斷文件后綴與類型,合法才進(jìn)行上傳操作
if(($fileext == "jpg") && ($filetype=="image/jpeg")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上傳的圖片生成新的圖片
$im = imagecreatefromjpeg($target_path);
if($im == false){
$msg = "該文件不是jpg格式的圖片齿风!";
@unlink($target_path);
}else{
//給新圖片指定文件名
srand(time());
$newfilename = strval(rand()).".jpg";
$newimagepath = UPLOAD_PATH.$newfilename;
imagejpeg($im,$newimagepath);
//顯示二次渲染后的圖片(使用用戶上傳圖片生成的新圖片)
$img_path = UPLOAD_PATH.$newfilename;
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上傳出錯(cuò)药薯!";
}
}else if(($fileext == "png") && ($filetype=="image/png")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上傳的圖片生成新的圖片
$im = imagecreatefrompng($target_path);
if($im == false){
$msg = "該文件不是png格式的圖片!";
@unlink($target_path);
}else{
//給新圖片指定文件名
srand(time());
$newfilename = strval(rand()).".png";
$newimagepath = UPLOAD_PATH.$newfilename;
imagepng($im,$newimagepath);
//顯示二次渲染后的圖片(使用用戶上傳圖片生成的新圖片)
$img_path = UPLOAD_PATH.$newfilename;
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上傳出錯(cuò)救斑!";
}
}else if(($fileext == "gif") && ($filetype=="image/gif")){
if(move_uploaded_file($tmpname,$target_path))
{
//使用上傳的圖片生成新的圖片
$im = imagecreatefromgif($target_path);
if($im == false){
$msg = "該文件不是gif格式的圖片童本!";
@unlink($target_path);
}else{
//給新圖片指定文件名
srand(time());
$newfilename = strval(rand()).".gif";
$newimagepath = UPLOAD_PATH.$newfilename;
imagegif($im,$newimagepath);
//顯示二次渲染后的圖片(使用用戶上傳圖片生成的新圖片)
$img_path = UPLOAD_PATH.$newfilename;
@unlink($target_path);
$is_upload = true;
}
} else {
$msg = "上傳出錯(cuò)!";
}
}else{
$msg = "只允許上傳后綴為.jpg|.png|.gif的圖片文件系谐!";
}
}
本關(guān)綜合判斷了后綴名巾陕、content-type讨跟,以及利用imagecreatefromgif判斷是否為gif圖片,最后再做了一次二次渲染鄙煤。
繞過(guò)方法
得去找圖片經(jīng)過(guò)GD庫(kù)轉(zhuǎn)化后沒(méi)有改變的部分晾匠,再將未改變的部分修改為相應(yīng)的php代碼。
條件競(jìng)爭(zhēng)
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_name = $_FILES['upload_file']['name'];
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_ext = substr($file_name,strrpos($file_name,".")+1);
$upload_file = UPLOAD_PATH . '/' . $file_name;
if(move_uploaded_file($temp_file, $upload_file)){
if(in_array($file_ext,$ext_arr)){
$img_path = UPLOAD_PATH . '/'. rand(10, 99).date("YmdHis").".".$file_ext;
rename($upload_file, $img_path);
$is_upload = true;
}else{
$msg = "只允許上傳.jpg|.png|.gif類型文件梯刚!";
unlink($upload_file);
}
}else{
$msg = '上傳出錯(cuò)凉馆!';
}
}
這里先將文件上傳到服務(wù)器,然后通過(guò)rename修改名稱亡资,再通過(guò)unlink刪除文件澜共,因此可以通過(guò)條件競(jìng)爭(zhēng)的方式在unlink之前,訪問(wèn)webshell锥腻。
繞過(guò)方法
然后不斷訪問(wèn)webshell:
上傳成功嗦董。
參考鏈接:
