upload labs pass11-12(00截断)

#upload-labs

pass 11

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错！';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件！";
    }
}

查看源代码，发现是白名单机制

$img_path = ${}_{G}ET{[}^{\prime }sav{e}_{p}at{h}^{\prime }]."/".rand(10,99).date("YmdHis").".".$file_ext;

但是$img_path却是用save_path拼接的,于是想到之前一直看到的%00截断

直接上传hack.php

PS:利用%00截断，php版本必须是5.2x的,并且magic_quotes_gpc = Off

pass 12

这题也可以用%00截断，但是这次的save_path是用post方法得到的，所以会比较麻烦

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件！";
    }
}

这次需要在二进制中进行修改，因为post不会像get对%00进行自动解码。在0a 0d 前面加上00

先上传hack.php，然后通过抓包工具

成功上传