Upload-labs文件上传漏洞（POST路径）——Pass12

朱雀 2023-03-02 07:45 174阅读 0赞

## 0×00 题目概述 ##

![20200728114409951.png][]

依然是上传路径可控

## 0×01 源代码 ##

$is_upload = false;
    $msg = null;
    if(isset($_POST['submit'])){
        $ext_arr = array('jpg','png','gif');
        $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
        if(in_array($file_ext,$ext_arr)){
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
    
            if(move_uploaded_file($temp_file,$img_path)){
                $is_upload = true;
            } else {
                $msg = "上传失败";
            }
        } else {
            $msg = "只允许上传.jpg|.png|.gif类型文件！";
        }
    }

本题也是白名单，但是使用的是POST传参，由于POST传参不会自动解码，需要在Hex处修改二进制，+对应的是2b,将其改为00即可

## 0×02 解题步骤 ##

![20200728135707658.png][]

![20200728135958265.png][] 在Hex处找到+对应的2b，将其修改为00即可

![20200728140118973.png][]

![20200728140130768.png][]

修改完之后Forward，还是不行，应该是php版本的问题吧

![20200728140444644.png][]

[20200728114409951.png]: /images/20230208/6097b3e4848944039d24da87166d922e.png
[20200728135707658.png]: /images/20230208/2abd5f75981a4b1089e4f26fa995246f.png
[20200728135958265.png]: /images/20230208/e854ab71650442a3889249369c71bd8d.png
[20200728140118973.png]: /images/20230208/0de99ba40e104d239a9090c6f6858788.png
[20200728140130768.png]: /images/20230208/ef3c75b7fde148d59c67668c768c9199.png
[20200728140444644.png]: /images/20230208/feb000ad6b1d412cb6f1a30056373378.png