• Pass05

        很明显这一题又是上一题的进阶，但是对比源码后发现这一题似乎又少了些什么。

        Pass04：

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . $_FILES['upload_file']['name'];
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';
    }
}

        Pass05：

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists($UPLOAD_ADDR)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
        $file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空

        if (!in_array($file_ext, $deny_ext)) {
            if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {
                $img_path = $UPLOAD_ADDR . '/' . $file_name;
                $is_upload = true;
            }
        } else {
            $msg = '此文件不允许上传';
        }
    } else {
        $msg = $UPLOAD_ADDR . '文件夹不存在,请手工创建！';
    }
}

        经过审计，发现Pass05缺少了转换为小写这一环节，因此可采用大小写绕过，将webshell的后缀更换为.phP上传即可。

        

• Pass06

        查看提示很明显跟Pass05是一系列的题目，但是这一题把上一题的大小写绕过给修复了，因此只能另寻思路：

$file_ext = strtolower($file_ext); //转换为小写

         经过一番简单的比较发现，上一题的首尾去空本题不见了，因此很明显这就是本题所希望我们利用的漏洞了：

$file_ext = trim($file_ext); //首尾去空

         具体思路如下：上传webshell文件并使用bp截断，修改文件后缀名.php为.php ，即在后缀名后增加空格，然后即可成功上传执行。

 

 

        原理分析：由于使用的是windows系统搭建靶机，系统会自动对文件名进行去空，而上传的过程中使用的后缀名为.php ，由于后缀名并没有被去空故不在黑名单之中，即可顺利完成上传并执行，同时注意，由于windows系统会自动对文件名进行去空，所以在windows系统上操作时不能在本地提前修改后缀名而需使用bp截断修改后缀名。

• Pass07

        跟Pass06差不多的思路，这题的区别在与增加了上一题的首尾去空：

$file_ext = strtolower($file_ext); //转换为小写

         但是上一题的删除文件名末尾的点消失了，很明显这一点就是我们这题所需要利用的漏洞。

$file_name = deldot($file_name);//删除文件名末尾的点

        因此将上一题的文件用一样的思路操作把末尾加空格改为加.就能轻松秒杀了。