upload-labs靶场Pass-02
分析源码
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '文件类型不正确,请重新上传!';
}
} else {
$msg = UPLOAD_PATH.'文件夹不存在,请手工创建!';
}
}
源码中
if (( F I L E S [ ′ u p l o a d f i l e ′ ] [ ′ t y p e ′ ] = = ′ i m a g e / j p e g ′ ) ∣ ∣ ( _FILES['upload_file']['type'] == 'image/jpeg') || ( FILES[′uploadfile′][′type′]==′image/jpeg′)∣∣(_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif'))
可以看出验证方式是文件类型,使用白名单验证
选择上传文件并抓包,修改文件类型可以绕过
上传php文件,本来是不容许的
抓包
修改Content-Typr字段为源码中提到的任意一种,放包
查看服务端,有了我们上传的php文件,由此绕过成功
OVER!