Due to the echo of this level, check the name of the uploaded file through F12 and connect it through a kitchen knife
pass1:
Delete the front onclick to bypass
pass2
Burpsuite grabbing and modifying content type: image / png
pass3
Blacklist bypass, because PHP3 and PHP5 files can be parsed into PHP files Htaccess file
Therefore, you can bypass it by modifying the suffix, and set PHP5 as shown in the figure
pass4
The. Htaccess file can be stored in each folder. If there is no such file in this folder, the one in the root directory shall prevail. If there is, the one in this folder shall prevail. First upload a customized file htaccess
Upload a picture that meets the filtering rules and connect it with a kitchen knife
pass5
1.php . . : the source code shows that the last point is deleted first, and the string after the last point is intercepted to match, so if the matching is empty, it will be bypassed successfully
pass6
Case matching can be bypassed
pass7
The suffix is followed by a space, and the win system will automatically delete the space when receiving it php[ ]
pass8
When the source code prompts to save the file, the last point will be deleted and stored in {1 php.
Pass9: $data: lowercase is also acceptable
Add the stream file ID directly after the suffix to bypass
pass10
The point blank point method is the same as pass5
pass11
Doubles filtering: 1 Pphphp detection is carried in after deleting PHP in the middle
pass12
PHP version is lower than 5.3, magic quote GPC = off
The get method controls the upload path. Use% 00 to truncate the upload,
The path can also be used to change the file name: 1 php%00
pass13
Modify the path in post to decode the% 00 URL manually
pass14+ pass15+pass16
File contains vulnerabilities:
It can be seen from the code that all the code of the file will be executed
Use hanging horse pictures to bypass
This file contains PHP files in the root directory,
Path: http://ip/upload-labs/include.php?file=upload/ Hanging horse picture
pass16
php. INI file, extension = PHP_ exif. DLL remove the preceding semicolon
pass17
In the face of the situation of secondary rendering, consider the competition of use conditions, that is, operate the file once before the secondary rendering, use burpsuite’s intruder to generate the script of continuous contracting, upload the picture, and regenerate it into a script of continuous access to the picture horse. First start the contracting script, then start the access script, then close the contracting script, and then close the access script, so as to save the picture horse
However, you need to upload and parse the configuration file in combination with file inclusion or other methods to connect the kitchen knife
pass18
The same is to upload the picture horse and retain the picture horse through conditional competition
pass19
Image horse + file contains, or local parsing configuration file vulnerability
pass20
The file name can be controlled. Add space or /. To the suffix of one sentence Trojan file at the data submitted by post
pass21
Array judgment is used in the source code, and array bypass can be considered
If it is an array, it becomes lowercase, and then the file name is divided by decimal point, and the form of array is returned
Then use to check whether the last element of the array is a legal suffix (there is forgery)
Bypass method: give save when passing in parameters_ Change name to array form, as follows
In the source code, savenames will be split by dots and arranged in order
If the substitute suffix is not put into subscript 2, the substitute will be overwritten and cannot be bypassed
And the file name will be assembled again in the source code. Normally, the file name and suffix are connected by a dot
Bypass: add a slash after the file name, and then connect the file name and the avatar suffix with a dot through the back-end code, because windows will connect / If the following is omitted, only the real file name can be left