上传绕过php文件改为图片,文件上传绕过（二）

article/2025/9/29 5:26:33

基于文件后缀名的绕过

同理，我们先看源码$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

if (file_exists($UPLOAD_ADDR)) {

$deny_ext = array('.asp','.aspx','.php','.jsp');

$file_name = trim($_FILES['upload_file']['name']);

$file_name = deldot($file_name);//删除文件名末尾的点

$file_ext = strrchr($file_name, '.');

$file_ext = strtolower($file_ext); //转换为小写

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //收尾去空

if(!in_array($file_ext, $deny_ext)) {

if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR. '/' . $_FILES['upload_file']['name'])) {

$img_path = $UPLOAD_ADDR .'/'. $_FILES['upload_file']['name'];

$is_upload = true;

}

} else {

$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';

}

} else {

$msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';

}

从源码中我们可以看到，当前禁止了asp aspx php jsp等常见的后缀名。此时我们用BURP截包改包即可。

只需要将后缀名php改为phtml即可。

如图，成功上传，获得shell

更另类的文件绕过

先看源码$is_upload = false;

$msg = null;

if (isset($_POST['submit'])) {

if (file_exists($UPLOAD_ADDR)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");

$file_name = trim($_FILES['upload_file']['name']);

$file_name = deldot($file_name);//删除文件名末尾的点

$file_ext = strrchr($file_name, '.');

$file_ext = strtolower($file_ext); //转换为小写

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //收尾去空

if (!in_array($file_ext, $deny_ext)) {

if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {

$img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];

$is_upload = true;

}

} else {