1. Blacklist bypass
<title>Image upload</title><Body><formAction= "blacklist.php"Method= "POST"enctype= "Multipart/form-data"> <inputtype= ' file 'name= ' file 'ID= ' file '><BR/> <inputtype= ' Submit 'name= ' Submit 'value= ' Submit '></form></Body>
<?PHP$Blacklist=Array(' asp ', ' php ', ' jsp ', ' php5 ', ' asa ', ' aspx ');//blacklist if(isset($_post["Submit"])){ $name=$_files[' File '] [' Name '];//Accept file Names $extension=substr(STRRCHR($name, "."), 1);//Get extension $boo=false; foreach($Blacklist as $key=$value){ if($value==$extension){ $boo=true; Break; } } if(!$boo){ $size=$FILES[' File '] [' Size ']; $tmp=$_files[' File '] [' Tmp_name ']; Move_uploaded_file($tmp,$name); Echo"File uploaded success,the path is:".$name; } Else{ Echo"File is validate"; } }?>
Blacklist bypass way a lot, I only introduce one!
Bypass method:
Find the easily overlooked suffix: cer and so on;
Case bypass; Only in Windows will be parsed
Appended with the file name. Or the space will be automatically removed in Windows to resolve to the application file
The above is just a kind of, specific circumstances, but also need to see the specific environment;
2. White List
<title>Image upload</title><Body><formAction= "whitelist.php"Method= "POST"enctype= "Multipart/form-data"> <inputtype= ' file 'name= ' file 'ID= ' file '><BR/> <inputtype= ' Submit 'name= ' Submit 'value= ' Submit '></form></Body>
<?PHP$Whitelist=Array(' rar ', ' jpg ', ' png ', ' BMP ', ' gif ', ' Doc ', ' txt ');//blacklist if(isset($_post["Submit"])){ $name=$_files[' File '] [' Name '];//Accept file Names $extension=substr(STRRCHR($name, "."), 1);//Get extension $boo=false; foreach($Whitelist as $key=$value){ if($value==$extension){ $boo=true; Break; } } if($boo){ $size=$FILES[' File '] [' Size ']; $tmp=$_files[' File '] [' Tmp_name ']; Move_uploaded_file($tmp,$name); Echo"File uploaded success,the path is:".$name; } Else{ Echo"File is validate"; } }?>
White list bypass is usually constructed by parsing the vulnerability, such as IIS6.0 will parse 1.asp;1.jpg, so we can modify the upload by this way
Follow-up also has ~ ~ ~
Upload Vulnerability--list bypass