16.上傳繞過

標籤：web安全   php   http   

題名很直接，就知道是上傳通過了：

    首先，我們先隨便上傳應該PHP一句話過去試一試

    650) this.width=650;" src="https://s2.51cto.com/wyfs02/M00/9D/60/wKioL1l_ETqSILqEAAAxweQXE_g946.png-wh_500x0-wm_3-wmp_4-s_396352146.png" title="1.png" alt="wKioL1l_ETqSILqEAAAxweQXE_g946.png-wh_50" />

    果然沒那麼簡單。。。

    650) this.width=650;" src="https://s5.51cto.com/wyfs02/M01/9D/60/wKiom1l_EV6DSmsaAAATf8LA9GQ544.png-wh_500x0-wm_3-wmp_4-s_3214436928.png" title="2.png" alt="wKiom1l_EV6DSmsaAAATf8LA9GQ544.png-wh_50" />

    那麼我們就按部就班的來，給他在加應該尾碼

    650) this.width=650;" src="https://s1.51cto.com/wyfs02/M00/9D/60/wKiom1l_EarQKvxZAAAQjGVHCMc454.png-wh_500x0-wm_3-wmp_4-s_9182705.png" title="3.png" alt="wKiom1l_EarQKvxZAAAQjGVHCMc454.png-wh_50" />

    變成了圖片上傳試一試

    650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/9D/60/wKioL1l_Eh-BwA-GAAApf7scC2A761.png-wh_500x0-wm_3-wmp_4-s_1954855858.png" title="4.png" alt="wKioL1l_Eh-BwA-GAAApf7scC2A761.png-wh_50" />

    發現還要PHP尾碼，我們嘗試抓包00截斷來繞過

    650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/9D/60/wKioL1l_F5uQrL_DAACNml00u4Q948.png-wh_500x0-wm_3-wmp_4-s_168836718.png" title="5.png" alt="wKioL1l_F5uQrL_DAACNml00u4Q948.png-wh_50" />

    發現這裡沒成功，如何嘗試偽造路徑截斷

    650) this.width=650;" src="https://s5.51cto.com/wyfs02/M02/9D/60/wKioL1l_GHHjkbpmAACiP1OK0pI698.png-wh_500x0-wm_3-wmp_4-s_1067828764.png" title="6.png" alt="wKioL1l_GHHjkbpmAACiP1OK0pI698.png-wh_50" />

    成功！

    00截斷不懂的同學，去百度查查去

本文出自 “11846238” 部落格，請務必保留此出處http://11856238.blog.51cto.com/11846238/1952462

16.上傳繞過