Pass20【“/.”结尾法 和 POST方法%00截断2】
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = $_POST['save_name'];
$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!in_array($file_ext,$deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
}else{
$msg = '上传出错!';
}
}else{
$msg = '禁止保存为该类型文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
方法一
先测试了下pathinfo($file_name,PATHINFO_EXTENSION)
函数
就想到可以利用%00截断:
找到上传名称里故意留的空格20,改成00
即可上传成功,到服务器时,%00后的内容自动被截断剩下base.php
方法二
还遇到一种网上另一种方法:
文件名改为base.php/.
,move_uploaded_file函数结尾遇到
/.`的时候会删除它。