Complete collection of upload labs customs clearance


Due to the echo of this level, check the name of the uploaded file through F12 and connect it through a kitchen knife


Delete the front onclick to bypass


Burpsuite grabbing and modifying content type: image / png


Blacklist bypass, because PHP3 and PHP5 files can be parsed into PHP files Htaccess file

Therefore, you can bypass it by modifying the suffix, and set PHP5 as shown in the figure

Complete collection of upload labs customs clearance


The. Htaccess file can be stored in each folder. If there is no such file in this folder, the one in the root directory shall prevail. If there is, the one in this folder shall prevail. First upload a customized file htaccess

Complete collection of upload labs customs clearance

Upload a picture that meets the filtering rules and connect it with a kitchen knife


1.php .   . : the source code shows that the last point is deleted first, and the string after the last point is intercepted to match, so if the matching is empty, it will be bypassed successfully


Case matching can be bypassed


The suffix is followed by a space, and the win system will automatically delete the space when receiving it php[ ]


When the source code prompts to save the file, the last point will be deleted and stored in {1 php.

Pass9: $data: lowercase is also acceptable

Add the stream file ID directly after the suffix to bypass


The point blank point method is the same as pass5


Doubles filtering: 1 Pphphp detection is carried in after deleting PHP in the middle


PHP version is lower than 5.3, magic quote GPC = off

The get method controls the upload path. Use% 00 to truncate the upload,

The path can also be used to change the file name: 1 php%00


Modify the path in post to decode the% 00 URL manually

pass14+ pass15+pass16

File contains vulnerabilities:

Complete collection of upload labs customs clearance

It can be seen from the code that all the code of the file will be executed

Use hanging horse pictures to bypass

This file contains PHP files in the root directory,

Path: http://ip/upload-labs/include.php?file=upload/ Hanging horse picture


php. INI file, extension = PHP_ exif. DLL remove the preceding semicolon


In the face of the situation of secondary rendering, consider the competition of use conditions, that is, operate the file once before the secondary rendering, use burpsuite’s intruder to generate the script of continuous contracting, upload the picture, and regenerate it into a script of continuous access to the picture horse. First start the contracting script, then start the access script, then close the contracting script, and then close the access script, so as to save the picture horse

However, you need to upload and parse the configuration file in combination with file inclusion or other methods to connect the kitchen knife


The same is to upload the picture horse and retain the picture horse through conditional competition


Image horse + file contains, or local parsing configuration file vulnerability


The file name can be controlled. Add space or /. To the suffix of one sentence Trojan file at the data submitted by post


Array judgment is used in the source code, and array bypass can be considered

If it is an array, it becomes lowercase, and then the file name is divided by decimal point, and the form of array is returned

Then use to check whether the last element of the array is a legal suffix (there is forgery)

Bypass method: give save when passing in parameters_ Change name to array form, as follows

Complete collection of upload labs customs clearance

In the source code, savenames will be split by dots and arranged in order

If the substitute suffix is not put into subscript 2, the substitute will be overwritten and cannot be bypassed

And the file name will be assembled again in the source code. Normally, the file name and suffix are connected by a dot

Bypass: add a slash after the file name, and then connect the file name and the avatar suffix with a dot through the back-end code, because windows will connect / If the following is omitted, only the real file name can be left