$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
核心过滤代码换了,同样是黑名单 这里讲解一下核心代码的意思,把带有黑名单中的后缀替换为空
$deny_ext 替换为空 意思他以后保存到服务器的文件就只有文件名 没有后缀名 比如上传一个 10.php 到了服务器上就显示10. 这样做就是让不符合条件的文件即使上传到服务器也不能运行起来!!!
$file_name = str_ireplace($deny_ext,"", $file_name);
把 world 替换成 shanghai 内容来源
但是我们发现只是替换了一次,我们可以双写绕过,如10.pphpphp,过滤一个直接拼凑出10.php
10.php 把php 过滤 剩下10我们要的是10.php 就要加上10.pphphp
http://192.168.31.33/upload-labs-master/upload/10.php
