文件上传的小点总结(2)

4.黑名单绕过(.htaccess方法)

源码一打开，遇到这样的黑名单是不是看的头皮发麻，这么多后缀都禁用。

.htaccess可以启用或禁用apache的功能，利用这个特点，我们可以使用该文件来禁用上述黑名单功能，从而上传**文件。

简单思路：先上传.htaccess文件，禁用掉某一功能后，再上传文件。

以下是.htaccess文件的代码：要上传什么文件就在后面写什么文件

<FilesMatch "123.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

123.jpg的文件可以简单写为：

<?php
phpinfo();
?>

上传成功后复制图片地址，访问如图：

5.大写绕过

多数文件后缀都被限制，甚至.htaccess也被限制，我们可以找找文件名处理的一些办法，与第四点的源码对比，我们可以发现，其缺少对文件转为小写的操作，于是可以通过大写后缀来绕过文件后缀限制。

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空

简单思路：开启BP，上传info.php，BP拦截成功后，将info.php改为info.PHP，如图：

复制图像链接访问如图：即上传成功。