Upload-labs文件上传（6-10）

第六关（禁止上传很多中后缀，识别大小写）

我们查看第五关代码：

        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

第六关代码：

        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

分析，第五关是因为没有大小写导致可以大小写绕过，第六关可以看到没有进行首尾去空
所以利用空格可以走一波。

发现成功上传而且可以利用：
-

---

第七关（点号绕过）

  $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

查看代码发现，大小写，空格，等等都是绕不过的，但是还有一个在后缀名中家点号，走起！

发现成功上传而且可以利用：

---

第八关（：：$DATA绕过）

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

发现可以成功利用：

---

第九关（文件路径拼接问题）

我们可以先看看第2关的路径拼接代码如下：

 if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . $_FILES['upload_file']['name'];
                $is_upload = true;

再看这一关的代码拼接，

  if (move_uploaded_file($_FILES['upload_file']['tmp_name'], UPLOAD_PATH . '/' . $_FILES['upload_file']['name'])) {
                $img_path = UPLOAD_PATH . '/' . $file_name;
                $is_upload = true;
            }

发现5，6，7，8，9关都是一样，路径拼接的是处理后的文件名，于是构造info.php. . （点+空格+点），经过处理后，文件名变成info.php.，即可绕过。

---

第十关（文件路径拼接）

$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);

首先科普一下这个函数：

str_ireplace(find,replace,string,count)
参数  描述
find    必需。规定要查找的值。
replace 必需。规定替换 find 中的值的值。
string  必需。规定被搜索的字符串。
count   可选。一个变量，对替换数进行计数。

上面的代码依旧是黑名单过滤，注意到，这里是将问题后缀名替换为空

$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

$file_name = str_ireplace($deny_ext,"", 'pphphp');
var_dump($file_name);
#绕过测试代码
?>

双写绕过

发现还是可以成功利用漏洞