文件解析漏洞导致文件执行

文件路径截断

0x03 文件上传实例（本地测试）

裸体的文件上传

1
2
3
4
5
6
7
8
9

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<!DOCTYPE html>
<html>
<head>

<title>文件信息</title>

</head>
<meta charset=

"utf-8"

>

<body>
<form action=

""

enctype=

"multipart/form-data"

method=

"POST"

name=

"upl

oadfile"

>

上传文件: <input type=

"file"

name=

"upfile"

/>

<input type=

"submit"

value=

"上传"

name=

"submit"

>

</form>
</body>
</html>

<!-- 完全没有过滤，任意文件上传 -->
<?php

if

(isset(

$_POST

[

'submit'

])) {

var_dump(

$_FILES

[

'upfile'

]);

echo

"文件名："

.

$_FILES

[

'upfile'

][

'name'

].

"<br />"

;

echo

"文件大小："

.

$_FILES

[

'upfile'

][

'size'

].

"<br />"

;

echo

"文件类型："

.

$_FILES

[

'upfile'

][

'type'

].

"<br />"

;

echo

"临时路径："

.

$_FILES

[

'upfile'

][

'tmp_name'

].

"<br />"

;

echo

"上传后系统返回值："

.

$_FILES

[

'upfile'

][

'error'

].

"<br />"

;

echo

"====================保存分各线

========================<br />"

;

if

(

$_FILES

[

'upfile'

][

'error'

] == 0) {

if

(!

is_dir

(

"./upload"

)) {

mkdir

(

"./upload"

);

}

$dir

=

"./upload/"

.

$_FILES

[

'upfile'

][

'name'

];

move_uploaded_file(

$_FILES

[

'upfile'

][

'tmp_name'

],

$dir

);

echo

"文件保存路径："

.

$dir

.

"<br />"

;