在开始之前,我们需要做一些准备工作。
upload-labs靶场是在PHP环境下运行的,因此我准备了一个PHP脚本和一张图片。图片很容易准备,如果你不想自己编写PHP脚本,可以使用我提供的这个获取当前时间的PHP脚本。
代码语言:PHP 运行次数:0
<?php
header("content-type:text/html;charset=utf-8");
date_default_timezone_set("PRC"); // 设置时区
echo "当前时间为:";
$today = date("Y-m-d D h:i:s A ");
echo $today;
?>注意:图片默认不清晰,请放大查看!
Pass-08
代码:
代码语言:PHP 运行次数:0
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name); // 删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); // 转换为小写
$file_ext = trim($file_ext); // 首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}这关之前的方法基本上是行不通的。
通关过程:这一关实际上是利用了Windows系统的一个命名特性。在Windows系统中,如果文件名后面加上"
::$DATA
::$DATA
::$DATA
举个例子:
上传文件名为:
测试.php::$DATA
::$DATA
测试.php
xxx.php
通关完成!
以上就是upload-labs靶场-Pass-08关-思路以及过程的详细内容,更多请关注php中文网其它相关文章!
每个人都需要一台速度更快、更稳定的 PC。随着时间的推移,垃圾文件、旧注册表数据和不必要的后台进程会占用资源并降低性能。幸运的是,许多工具可以让 Windows 保持平稳运行。
Copyright 2014-2025 https://www.php.cn/ All Rights Reserved | php.cn | 湘ICP备2023035733号
957
收藏
