upload-lads 4
php传不了
看源码
看到过滤了一大堆文件格式:
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
基本上能用的绕过解析文件格式都被过滤了
那就用它:.htaccess
这个文件的大概意思是将后面上传的所有文件都按php来解释:
上传后在上传一个图片格式的文件
然后打开:
还是把它当作图片来解析了
查一下.htaccess的配置:
然后去看了位置:
没错呀
猜测后端检测了文件头
那就用文件头幻术:
一样的打不开
应该还是那个问题:
参考这篇文章:
https://editor.youkuaiyun.com/md/?articleId=117965873
那就不能复现了