PHP代码审计-File Upload-dvwa靶场

执行

<html>
<head></head>
<body>
<form enctype="multipart/form-data" action="high.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
	Choose an image to upload:<br /><br />
	<input name="uploaded" type="file" /><br/>
	<br />
	<input type="submit" name="upload" value="upload" />
</form>
</body>

</html>

low

<?php
 if(isset($_POST['upload'])){
 	$target_path = "./";
 	$target_path .= basename($_FILES['uploaded']['name']);
 	echo $target_path."<br>";
 if(!move_uploaded_file($_FILES['uploaded']['tmp_name'],$target_path)){
 	echo "上传失败";
 }else{
 	echo "{$target_path}上传成功";
 }
 }
?>

medium

<?php
 if(isset($_POST['upload'])){
 	$target_path = "./";
 	$target_path .= basename($_FILES['uploaded']['name']);
 	$uploaded_name = $_FILES['uploaded']['name'];
 	$uploaded_type = $_FILES['uploaded']['type'];
 	if(($uploaded_type == "image/jpeg") || ($uploaded_type == "image/png")){
		if(!move_uploaded_file($_FILES['uploaded']['tmp_name'],$target_path)){
	 		echo "上传失败";
	 	}else{
	 		echo "{$target_path}上传成功";
	 	}
}else{
	echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}
?>

high

<?php
 if(isset($_POST['upload'])){
 	$target_path = "./";
 	$target_path .= basename($_FILES['uploaded']['name']);
 	$uploaded_name = $_FILES['uploaded']['name'];
 	$uploaded_ext = substr($uploaded_name,strrpos($uploaded_name,'.')+1);
 	echo $uploaded_ext;
 	$uploaded_type = $_FILES['uploaded']['type'];
 	$uploaded_tmp = $_FILES['uploaded']['tmp_name'];
 	if((strtolower($uploaded_ext) == "jpg" || strtolower($uploaded_ext) == "jpeg" || strtolower($uploaded_ext) == "png") && getimagesize($uploaded_tmp) ){
	 	if(($uploaded_type == "image/jpeg") || ($uploaded_type == "image/png")){
			if(!move_uploaded_file($_FILES['uploaded']['tmp_name'],$target_path)){
		 		echo "上传失败";
		 	}else{
		 		echo "{$target_path}上传成功";
		 	}
		}else{
			echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
		}
 	}else{
 		 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
 	}

}
?>

PHP知识点

basename() 函数返回路径中的文件名部分。
move_uploaded_file() 函数将上传的文件移动到新位置。若成功,则返回 true,否则返回 false。
语法
move_uploaded_file(file,newloc)
参数	描述
file	必需。规定要移动的文件。
newloc	必需。规定文件的新位置。
PHP Filesystem 函数 $file https://www.cnblogs.com/laijinquan/p/8682282.html
PHP substr()
PHP strrpos() 查找 "php" 在字符串中最后一次出现的位置:

定义和用法
strrpos() 查找字符串在另一字符串中最后一次出现的位置。strrpos() 对大小写敏感。
PHP strtolower()  把所有字符转换为小写:
PHP uniqid() 基于以微秒计的当前时间,生成一个唯一的 ID。
posted @ 2021-01-25 15:44  renblog  阅读(118)  评论(0编辑  收藏  举报