table of Contents
If you do not see this as carr0t2 article in cnblog author, it is recommended to get better access to the original page layout, images experience
topic
Here is the web page code
if (!empty($_POST['submit'])) {
$name = basename($_FILES['file']['name']);
$info = pathinfo($name);
$ext = $info['extension'];
$whitelist = array("jpg", "png", "gif");
if (in_array($ext, $whitelist)) {
$des = $_GET['road'] . "/" . rand(10, 99) . date("YmdHis") . "." . $ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $des)) {
echo "<script>alert('上传成功')</script>";
} else {
echo "<script>alert('上传失败')</script>";
}
} else {
echo "文件类型不匹配";
}
}
Thinking
- Search 00 truncated content
- C language secondary schools have had a string of 00 as a sign of the end of the end of the string, where the same token,
$des
when the connection is connected to the front$_GET['road']
, but$_GET['road']
this argument is that we can edit the specified, it is possible to construct a 00 truncation, this involves the URL encoded content - Recommended Reading
https://zhuanlan.zhihu.com/p/27739315
https://www.seebug.org/vuldb/ssvid-89630
tool
1. Chinese ant sword
2.bp
solution
1, bp open proxy, upload pictures and intercepted horse
2, structure 00 cut upload
3. Chinese sword connection ants, get flag
postscript
There is less likely to own php code, so on their own debugging, I found the situation after these variables uploaded
Debugging own computer, it was found 00% will be parsed into \ 0, then know almost paper has been explained above
We now know that using a 00% cut off for two conditions php versions less than 5.3.4 and magic_quotes_gpc is off state. If magic_quotes_gpc then we will change on then it can not be cut off, because 00% will be escaped with a backslash after turning off the magic_quotes_gpc