To write the file Upload vulnerability code, you need to have some understanding of the $_files array: https://wenku.baidu.com/view/10496f95dd88d0d233d46aa6.html
① This is a simple file upload (write This is to be familiar with the statement, and then all write, I still want to let him play), pass a php suffix see can succeed, casually try, success,
Check to see if It's Successful.
②: This is the file type filter (when written, It is only allowed Image/jpeg)
The first attempt to upload the PHP suffix directly is not possible, after testing, found to be MIME verification, grab bag, change content-type, emmm, is the following
Code ①:
123<title>uploadfiletest</title>45<meta http-equiv= "content-type" content= "text/html"; charset= "utf-8" >6<body>7<form action= "" enctype= "multipart/form-data" method= "POST" name= "uploadfile" >8Upload file: <input type= "file" name= "upfile"/>9<input type= "submit" value= "upload" name= "submit" >Ten</form> one</body> a -<!--completely unfiltered, Any file upload-- -<?PHP the if(isset($_post[' Submit '])) { - Echo"file name:".$_files[' Upfile '] [' name ']. " <br/> "; - Echo"file size:".$_files[' Upfile '] [' size ']. " <br/> "; - Echo"file type:".$_files[' Upfile '] [' type ']. " <br/> "; + Echo"temporary path:".$_files[' Upfile '] [' tmp_name ']. " <br/> "; - Echo"system return value after upload:".$_files[' Upfile '] [' Error ']. <br/> "; + Echo"==================== Save Split Line ========================<br/>"; a if($_files[' Upfile '] [' error '] = = 0) { at if(!Is_dir("./upload")) { - mkdir("./upload"); - } - $dir= "./upload/".$_files[' Upfile '] [' name ']; - Move_uploaded_file($_files[' Upfile '] [' Tmp_name '],$dir); - Echo"file Save path:".$dir." <br/> "; in Echo"upload successful ... <br/>"; - to } + } -?>
Code ②:
123<title>uploadfile</title>45<meta http-equiv= "content-type" content= "text/html"; charset= "utf-8" >6 7<body>8<form action= "" enctype= "multipart/form-data" method= "POST" name= "uploadfile" >9Upload file: <input type= "file" name= "upfile"/>Ten<input type= "submit" value= "upload" name= "submit" > one</form> a</body> - - the<!--filter by File type- -<?PHP - if(isset($_post[' Submit '])) { - + /*echo "filename:". $_files[' upfile ' [' name ']. " <br/> "; - echo "file size:". $_files[' upfile ' [' size ']. " <br/> "; + echo "file type:". $_files[' upfile ' [' type ']. " <br/> "; a echo "temporary path:". $_files[' upfile ' [' tmp_name ']. " <br/> "; at echo "system return value after uploading:". $_files[' upfile ' [' error ']. " <br/> "; - Echo "===========================================<br/>"; */ - $flag= 0; - Switch($_files[' Upfile '] [' type ']) { - case' Image/jpeg ': - $flag= 1; in break; - default: to die("file Type Error ..."); + break; - } the if($_files[' Upfile '] [' error '] = = 0 &&$flag ) { * if(!Is_dir("./upload")) {//returns TRUE if the file name exists and is a directory. $ mkdir("./upload"); Panax Notoginseng } - $dir= "./upload/".$_files[' Upfile '] [' name ']; the Move_uploaded_file($_files[' Upfile '] [' Tmp_name '],$dir); + Echo"file Save path:".$dir." <br/> "; a Echo"upload successful ... <br/>"; the } + } -?>
Experience:
1. The enctype= "multipart/form-data" in the form means that the MIME encoding of the form is Set. By default, This encoding format is application/x-www-form-urlencoded, cannot be used for file upload, only use the Multipart/form-data to complete the transfer of file data, do the following
The use of the 2.$_files array:
$_files[' upfile ' [' name '] the original name of the client file
$_files[' upfile ' [' type '] file MIME type, which requires the browser to provide support for this information, such as "image/gif"
$_files[' upfile ' [' size '] The size of the uploaded file, in bytes
$_files[' upfile ' [' tmp_name '] file is uploaded and stored on the server after the temporary file name, Generally system default, can be specified in php.ini upload_tmp_dir, but with putenv () function setting is not working
$_files[' upfile ' [' Error '] and the file upload related errors code, [' error '] is added in PHP 4.2.0, the following is its description: (they became a constant after PHP3.0)
UPLOAD_ERR_OK value: 0; no error occurred, file upload succeeded
Upload_err_ini_size value: 1; The uploaded file exceeds the value of the Upload_max_filesize option limit in php.ini
upload_err_form_size value: 2; the size of the uploaded file exceeds the value specified by the Max_file_size option in the HTML form
upload_err_partial value: 3; file is only partially uploaded
upload_err_no_file value: 4; no file is uploaded, value: 5; upload file size is 0
File upload-do not filter +mime