【文件上传绕过】路径拼接问题导致上传漏洞

文章目录

        • 一、源码
        • 二、使用burpsuite修改文件后缀绕过


一、源码

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
     
    if (file_exists(UPLOAD_PATH)) {
     
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
        
        if (!in_array($file_ext, $deny_ext)) {
     
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.$file_name; // 路径拼接的是处理后的文件名
            if (move_uploaded_file($temp_file, $img_path)) {
     
                $is_upload = true;
            } else {
     
                $msg = '上传出错!';
            }
        } else {
     
            $msg = '此文件类型不允许上传!';
        }
    } else {
     
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
    }
}

路径拼接的是处理后的文件名,导致可以利用类似.php. .(两个点号之间有一个空格)绕过,程序先是删除一个点,再删除一个空格经过处理后,文件名变成.php.,即可绕过。

二、使用burpsuite修改文件后缀绕过

【文件上传绕过】路径拼接问题导致上传漏洞_第1张图片
上传文件并访问

【文件上传绕过】路径拼接问题导致上传漏洞_第2张图片
文件上传到Windows服务器后会自动将后面的点去掉

【文件上传绕过】路径拼接问题导致上传漏洞_第3张图片

你可能感兴趣的:(文件上传绕过,php,web,webshell,文件上传漏洞)