upload-labs 20关超级详细的WP

Pass20【“/.”结尾法 和 POST方法%00截断2】

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");


        $file_name = $_POST['save_name'];
        $file_ext = pathinfo($file_name,PATHINFO_EXTENSION);


        if(!in_array($file_ext,$deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH . '/' .$file_name;
            if (move_uploaded_file($temp_file, $img_path)) { 
                $is_upload = true;
            }else{
                $msg = '上传出错！';
            }
        }else{
            $msg = '禁止保存为该类型文件！';
        }


    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

方法一

先测试了下pathinfo($file_name,PATHINFO_EXTENSION)函数

就想到可以利用%00截断：

找到上传名称里故意留的空格20，改成00

即可上传成功，到服务器时，%00后的内容自动被截断剩下base.php

方法二

还遇到一种网上另一种方法：

文件名改为base.php/.，move_uploaded_file函数结尾遇到/.`的时候会删除它。