upload-labs闯关笔记 - 博客

[{"createTime":1735734952000,"id":1,"img":"hwy_ms_500_252.jpeg","link":"https://activity.huaweicloud.com/cps.html?fromacct=261f35b6-af54-4511-a2ca-910fa15905d1&utm_source=V1g3MDY4NTY=&utm_medium=cps&utm_campaign=201905","name":"华为云秒杀","status":9,"txt":"华为云38元秒杀","type":1,"updateTime":1735747411000,"userId":3},{"createTime":1736173885000,"id":2,"img":"txy_480_300.png","link":"https://cloud.tencent.com/act/cps/redirect?redirect=1077&cps_key=edb15096bfff75effaaa8c8bb66138bd&from=console","name":"腾讯云秒杀","status":9,"txt":"腾讯云限量秒杀","type":1,"updateTime":1736173885000,"userId":3},{"createTime":1736177492000,"id":3,"img":"aly_251_140.png","link":"https://www.aliyun.com/minisite/goods?userCode=pwp8kmv3","memo":"","name":"阿里云","status":9,"txt":"阿里云2折起","type":1,"updateTime":1736177492000,"userId":3},{"createTime":1735660800000,"id":4,"img":"vultr_560_300.png","link":"https://www.vultr.com/?ref=9603742-8H","name":"Vultr","status":9,"txt":"Vultr送$100","type":1,"updateTime":1735660800000,"userId":3},{"createTime":1735660800000,"id":5,"img":"jdy_663_320.jpg","link":"https://3.cn/2ay1-e5t","name":"京东云","status":9,"txt":"京东云特惠专区","type":1,"updateTime":1735660800000,"userId":3},{"createTime":1735660800000,"id":6,"img":"new_ads.png","link":"https://www.iodraw.com/ads","name":"发布广告","status":9,"txt":"发布广告","type":1,"updateTime":1735660800000,"userId":3},{"createTime":1735660800000,"id":7,"img":"yun_910_50.png","link":"https://activity.huaweicloud.com/discount_area_v5/index.html?fromacct=261f35b6-af54-4511-a2ca-910fa15905d1&utm_source=aXhpYW95YW5nOA===&utm_medium=cps&utm_campaign=201905","name":"底部","status":9,"txt":"高性能云服务器2折起","type":2,"updateTime":1735660800000,"userId":3}]

<>Pass-01：前端验证绕过
<script type="text/javascript"> function checkFile() { var file = document.
getElementsByName('upload_file')[0].value; if (file == null || file == "") {
alert("请选择要上传的文件!"); return false; } //定义允许上传的文件类型 var allow_ext =
".jpg|.png|.gif"; //提取上传文件的类型 var ext_name = file.substring(file.lastIndexOf("."
)); //判断上传文件类型是否允许上传 if (allow_ext.indexOf(ext_name) == -1) { var errMsg =
"该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name; alert(errMsg); return
false; } } </script>
js前端验证，使用禁用js之类的插件，或修改当前页面js代码，或先上传一个图片马然后抓包修改为后缀名php都可

<>Pass-02：Content-Type绕过
$is_upload = false; $msg = null; if (isset($_POST['submit'])) { if
(file_exists(UPLOAD_PATH)) { if (($_FILES['upload_file']['type'] ==
'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') ||
($_FILES['upload_file']['type'] == 'image/gif')) { $temp_file =
$_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' .
$_FILES['upload_file']['name']; if (move_uploaded_file($temp_file, $img_path))
{ $is_upload = true; } else { $msg = '上传出错！'; } } else { $msg =
'文件类型不正确，请重新上传！'; } } else { $msg = UPLOAD_PATH.'文件夹不存在,请手工创建！'; } }

只对Content-Type进行了验证，并没有对文件的后缀名进行验证,因此上传1.php抓包修改content-type为图片类型：image/jpeg、image/png、image/gif

技术

Java1212 篇
Python927 篇
开发语言608 篇
c语言463 篇
算法461 篇
MySQL438 篇
数据库394 篇
前端387 篇
更多...