upload-labs靶场-Pass-06关-思路以及过程

开始前的小准备

upload-labs靶场 是PHP环境运行的,所以我准备了一个PHP脚本和一张图片
图片好准备,PHP脚本如果不想写的话可以用我的这个获取当前时间的PHP脚本

header("content-type:text/html;charset=utf-8");

date_default_timezone_set("PRC");//设置时区

echo "当前时间为：";

$today = date("Y-m-d D h:i:s A ");

echo $today;

?>

图片默认不清楚放大看!!!

Pass-06

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = $_FILES['upload_file']['name'];
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        
        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file,$img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

看到提示和代码可以得到已经把文件扩展名转换了小写,也就是Pass-05关的方法已经行不通了

通关过程

仔细看代码可以看出它没有将扩展名去空格,我感觉这个考的是 扩展名空格
这里我分两种情况:
一:可以直接在扩展名后可以加上空格的
二:无法直接在扩展名后面加上空格的

可以直接在扩展名后可以加上空格的

我用的KaliLinux系统我可以直接在扩展名后面加上空格

无法直接在扩展名后面加上空格的

一般Windows系统你在扩展名后面是无法直接加上空格的,系统会直接将空格去掉,这个时候就可以使用 BurpSuite工具来更改了

通关完成!