简单文件包含案例

#index.php
<?php
$file = $_GET["file"];

if (!$file) echo '<a href="?file=upload">upload?</a>';
if(stristr($file,"input")||stristr($file, "filter")||stristr($file,"data")/*||stristr($file,"phar")*/){
	echo "hick?";
	exit();
}else{
	include($file.".php");
}
?>

<form action="upload.php" method="post" enctype="multipart/form-data" >
	 <input type="file" name="fupload" />
 	<input type="submit" value="upload!" />
</form>
<!-- file=D://dsadasdasdasd/2.zip#2.php -->
you can upload jpg,png,zip....<br />
<?php
if( isset( $_FILES['fupload'] ) ) {
    $uploaded_name = $_FILES[ 'fupload' ][ 'name' ];         //文件名
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);   //文件后缀
    $uploaded_size = $_FILES[ 'fupload' ][ 'size' ];         //文件大小
    $uploaded_tmp  = $_FILES[ 'fupload' ][ 'tmp_name' ];     // 存储在服务器的文件的临时副本的名称
    $target_path = "uploads\\".md5(uniqid(rand())).".".$uploaded_ext;
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" || strtolower( $uploaded_ext ) == "zip" ) &&
        ( $uploaded_size < 1000000 ) ) {
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {// No
            echo '<pre>upload error</pre>';
        }
        else {// Yes!
            echo "<pre>".dirname(__FILE__)."\\{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        echo '<pre>you can upload jpg,png,zip....</pre>';
    }
}
 ?>

打开index.php

点击upload，跳转至upload.php

写一个.php文件

将此文件解压成压缩包，更改压缩包名（不更改也可以，因为此网站可以上传zip文件）

上传该压缩包（我是更改压缩包后缀为.jpg）

跳转至index.php，然后因为没有过滤zip://伪协议，因此直接使用，拼接路径（最后的文件名后缀不用编写因为index文件中参数上传成功时会添加后缀.php）

http://127.0.0.1/lzy/index.php?file=zip://E:/get/phpstudy_pro/WWW/lzy/uploads/511ab3b75caecc61e7ace7dde4f4186c.jpg%234