©2020-2024 ioDraw All rights reserved
<>Pass-01:前端验证绕过
<script type="text/javascript"> function checkFile() { var file = document.
getElementsByName('upload_file')[0].value; if (file == null || file == "") {
alert("请选择要上传的文件!"); return false; } //定义允许上传的文件类型 var allow_ext =
".jpg|.png|.gif"; //提取上传文件的类型 var ext_name = file.substring(file.lastIndexOf("."
)); //判断上传文件类型是否允许上传 if (allow_ext.indexOf(ext_name) == -1) { var errMsg =
"该文件不允许上传,请上传" + allow_ext + "类型的文件,当前文件类型为:" + ext_name; alert(errMsg); return
false; } } </script>
js前端验证,使用禁用js之类的插件,或修改当前页面js代码,或先上传一个图片马然后抓包修改为后缀名php都可
<>Pass-02:Content-Type绕过
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if
(file_exists(UPLOAD_PATH)) { if (($_FILES['upload_file']['type'] ==
'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') ||
($_FILES['upload_file']['type'] == 'image/gif')) { $temp_file =
$_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' .
$_FILES['upload_file']['name']; if (move_uploaded_file($temp_file, $img_path))
{ $is_upload = true; } else { $msg = '上传出错!'; } } else { $msg =
'文件类型不正确,请重新上传!'; } } else { $msg = UPLOAD_PATH.'文件夹不存在,请手工创建!'; } }
只对Content-Type进行了验证,并没有对文件的后缀名进行验证,因此上传1.php抓包修改content-type为图片类型:image/jpeg、image/png、image/gif