文件上传漏洞（upload-labs）

目录

Pass-01(前端绕过)

（1）JavaScript

（2）Burpsuite（改后缀）

Pass-02（IMME类型 ）

burpsuite（改文件类型）

Pass-03（黑名单绕过）

修改后缀

Pass-04（.htaccess）

.htaccess

Pass-05（文件后缀绕过）

burpsuite（. .绕过）

Pass-06（文件后缀绕过）

大小写绕过

Pass-07（）

burpsuite（空格绕过）

Pass-08（文件后缀绕过）

burpsuite（. 绕过 ）

Pass-09（文件后缀绕过）

burpsuite（::$DATA 特殊符号绕过 ）

Pass-10（文件后缀绕过）

burpsuite（. .绕过）

Pass-11（文件后缀绕过）

双写绕过

Pass-12（白名单绕过）

%00截断（GET型）

​编辑

Pass-13（白名单绕过）

%00截断（POST型）

Pass-14（文件包含 ）

图片马

Pass-15（文件包含）图片马

Pass-16（文件包含）图片马

Pass-17（二次渲染绕过）

---

Pass-01(前端绕过)

首先，尝试上传一个php文件

内容为：<?php phpinfo(); ?>

我们可以看到它不允许上传.php文件，只能上传.jpg|.png|.gif类型的文件

function checkFile() {var file = document.getElementsByName('upload_file')[0].value;if (file == null || file == "") {alert("请选择要上传的文件!");return false;}//定义允许上传的文件类型var allow_ext = ".jpg|.png|.gif";//提取上传文件的类型var ext_name = file.substring(file.lastIndexOf("."));//判断上传文件类型是否允许上传if (allow_ext.indexOf(ext_name + "|") == -1) {var errMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name;alert(errMsg);return false;}
}

其次，我们通过查看源码发现，它只是在前端页面对输入的文件进行检查，所以我们有以下两种方法解决：

（1）JavaScript

设置→隐私与安全→网站设置→JavaScript→不允许网站使用 JavaScript

测试：在清空上传文件并刷新网页后，我们重新上传成功，但因为不是图片所以无法显示，我们通过“在新标签页中打开图片”就可以看到上传成功

（2）Burpsuite（改后缀）

用抓包工具Burpsuite对上传的包进行改包

将.php文件改为.jpg|.png|.gif类型的文件,打开burpsuite、代理（8080），上传文件

在repeater中修改文件后缀为.php后send，我们可以在response中查看到.php文件

结果：在上传文件中我们查看到shell.php文件上传成功

Pass-02（IMME类型 ）

我们尝试用.php文件上传，显示文件类型不正确，所以我们可以直接用bs来解决

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name']            if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '文件类型不正确，请重新上传！';}} else {$msg = UPLOAD_PATH.'文件夹不存在,请手工创建！';}
}

burpsuite（改文件类型）

上传.php文件，用burpsuite抓包，修改文件类型

找到文件类型将application改为image/png，然后send

multipart/form-data：一般用于文件上传；又是一个常见的 POST 数据提交的方式。与application/x-www-form-urlencoded不同，这是一个多部分多媒体类型。application/x-www-form-urlencoded：最常见的 POST 提交数据的方式，一般用于表单提交。application/json：服务端/客户端会按json格式解析数据。需要参数本身就是json格式的数据，参数会被直接放到请求实体里，不进行任何处理

结果：在上传文件中我们查看到shell.php文件上传成功

Pass-03（黑名单绕过）

修改后缀

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array('.asp','.aspx','.php','.jsp');$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if(!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;            if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '不允许上传.asp,.aspx,.php,.jsp后缀文件！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们得到.asp .aspx .php .jsp都被不允许，并且对一些特殊字符进行过滤，所以我们可以上传一些没有限制的后缀，如：php3 php4 php5 phtml的文件进行上传

结果：成功上传，但是还是没有成功解析

建议用apache/php最低版本

Pass-04（.htaccess）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //收尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件不允许上传!';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

查看源码我们得到它过滤了很多后缀，但是.htaccess没有过滤

.htaccess

.htaccess是apache的根目录的配置文件，该配置文件是用来做伪静态的

伪静态就比如你不想让别人知道你上传的.php文件，那么就将.php文件伪装成.html文件

我们可以创建一个.htaccess文件，在该文件中写入一个规则，如下，然后上传一个.jpg文件

AddType application/x-httpd-php .jpg#无论什么文件只要包含了jpg都视为php来解析

最后访问该图片就可以成功的将jpg文件当做php文件解析

Pass-05（文件后缀绕过）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们可知连.htaccess也过滤了，但它对文件的末尾点只限制了一次，所以我们可以双写“.”来绕过

burpsuite（. .绕过）

首先上传一个.php文件，抓包（可以drop放一下）

其次在request中修改后缀为.php. .来绕过

结果：在上传文件中我们查看到shell.php文件上传成功

Pass-06（文件后缀绕过）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们可知第6关没有第5关的大小写过滤，所以我们可以通过大小写绕过

大小写绕过

 $file_ext = strtolower($file_ext); //转换为小写

结果：解析成功

Pass-07（）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = $_FILES['upload_file']['name'];$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATAif (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file,$img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件不允许上传';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们发现相比上一关它少了个去空格的操作，所以我们可以通过用burp suite抓包在首尾添加空格

$file_ext = trim($file_ext); //首尾去空注：window下，文件后缀有空格\点（.）\::$DATA，都会自动去掉，而linux下不会，因此这种绕过方式只能在windows中使用

burpsuite（空格绕过）

上传.php文件，抓包，首尾添加空格后send

结果：在上传文件中我们查看到shell.php文件上传成功

Pass-08（文件后缀绕过）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们发现它少了文件名末尾的点的过滤，所以我们可以通过在末尾加一个“.”来绕过

$file_name = deldot($file_name);//删除文件名末尾的点

burpsuite（. 绕过 ）

上传.php文件，抓包，添加“.”后send

结果：在上传文件中我们查看到shell.php文件上传成功

Pass-09（文件后缀绕过）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们发现它少了字符串::$DATA的过滤，所以我们可以通过在末尾加一个“::$DATA”来绕过

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

burpsuite（::$DATA 特殊符号绕过 ）

上传.php文件，抓包，添加“::$DATA”后send

结果：在上传文件中我们查看到shell.php文件上传成功

Pass-10（文件后缀绕过）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = deldot($file_name);//删除文件名末尾的点$file_ext = strrchr($file_name, '.');$file_ext = strtolower($file_ext); //转换为小写$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA$file_ext = trim($file_ext); //首尾去空if (!in_array($file_ext, $deny_ext)) {$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = '此文件类型不允许上传！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们可知同第5关一样，它对文件的末尾点只限制了一次，所以我们可以双写“.”来绕过

burpsuite（. .绕过）

我们通过上传一个.php文件，抓包，后缀添加“. .”来绕过

结果：在上传文件中我们查看到shell.php文件上传成功

Pass-11（文件后缀绕过）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {if (file_exists(UPLOAD_PATH)) {$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess","ini");$file_name = trim($_FILES['upload_file']['name']);$file_name = str_ireplace($deny_ext,"", $file_name);$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = UPLOAD_PATH.'/'.$file_name;        if (move_uploaded_file($temp_file, $img_path)) {$is_upload = true;} else {$msg = '上传出错！';}} else {$msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';}
}

通过查看源码，我们可得通过双写来绕过，我们直接上传.pphphp这样的文件，使其删除一次后恢复为正确的文件后缀进行绕过

双写绕过

结果：.php文件在新标签页中正常解析

Pass-12（白名单绕过）

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = '上传出错！';}} else{$msg = "只允许上传.jpg|.png|.gif类型文件！";}
}

通过查看源码，我们可知它只允许上传.jpg|.png|.gif类型文件，但是我们的上传路径是可控的（通过GET方式传参），所以我们可以使用%00截断来绕过

%00截断（GET型）

上传.jpg文件，抓包，修改上传路径后send

注：这种漏洞仅存在于php5.2中

Pass-13（白名单绕过）

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$ext_arr = array('jpg','png','gif');$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);if(in_array($file_ext,$ext_arr)){$temp_file = $_FILES['upload_file']['tmp_name'];$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传失败";}} else {$msg = "只允许上传.jpg|.png|.gif类型文件！";}
}

通过查看源码，我们可知它与第12关相同，但是它是通过POST方式传参，所以我们也使用%00截断来绕过

%00截断（POST型）

上传.jpg文件，抓包，修改上传路径后send

上传路径不能像GET那样写，我们可以通过十六进制来改写，查看时可以点\n则可以看到\0

同理：这种漏洞仅存在于php5.2中

Pass-14（文件包含 ）

​
上传图片马到服务器。注意：1.保证上传后的图片马中仍然包含完整的一句话或webshell代码。2.使用文件包含漏洞能运行图片马中的恶意代码。3.图片马要.jpg,.png,.gif三种后缀都上传成功才算过关！function getReailFileType($filename){$file = fopen($filename, "rb");$bin = fread($file, 2); //只读2字节fclose($file);$strInfo = @unpack("C2chars", $bin);    $typeCode = intval($strInfo['chars1'].$strInfo['chars2']);    $fileType = '';    switch($typeCode){      case 255216:            $fileType = 'jpg';break;case 13780:            $fileType = 'png';break;        case 7173:            $fileType = 'gif';break;default:            $fileType = 'unknown';}    return $fileType;
}$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$temp_file = $_FILES['upload_file']['tmp_name'];$file_type = getReailFileType($temp_file);if($file_type == 'unknown'){$msg = "文件未知，上传失败！";}else{$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$file_type;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传出错！";}}
}

查看源码和提示我们只能读取内容的开头的两个字节，并且只能上传图片，那么我们就可以尝试使用图片马的方式

图片马

将一句话木马与图片进行融合

\Desktop>copy lyy.png /b + shell.php /a test.png

可以用记事本打开检查末尾是否包含

上传文件复制图片地址，点击“文件包含漏洞”补全url访问（失败了可以换图再尝试）

http://10.10.155.236/uploadlabs/include.php?file=http://10.10.155.236/uploadlabs/upload/7520250308223010.png

成功：

Pass-15（文件包含）图片马

function isImage($filename){$types = '.jpeg|.png|.gif';if(file_exists($filename)){$info = getimagesize($filename);$ext = image_type_to_extension($info[2]);if(stripos($types,$ext)>=0){return $ext;}else{return false;}}else{return false;}
}$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$temp_file = $_FILES['upload_file']['tmp_name'];$res = isImage($temp_file);if(!$res){$msg = "文件未知，上传失败！";}else{$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").$res;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传出错！";}}
}

本关与上一关类似，只是判断文件的函数方法略有区别，也可以通过图片马进行访问

getimagesize() 是 PHP 中用于获取图像尺寸和类型的函数。它返回一个包含图像信息的数组，如果图像文件不存在或无法读取，getimagesize() 会返回 false

方法同上，上传图片马

Pass-16（文件包含）图片马

function isImage($filename){//需要开启php_exif模块$image_type = exif_imagetype($filename);switch ($image_type) {case IMAGETYPE_GIF:return "gif";break;case IMAGETYPE_JPEG:return "jpg";break;case IMAGETYPE_PNG:return "png";break;    default:return false;break;}
}$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){$temp_file = $_FILES['upload_file']['tmp_name'];$res = isImage($temp_file);if(!$res){$msg = "文件未知，上传失败！";}else{$img_path = UPLOAD_PATH."/".rand(10, 99).date("YmdHis").".".$res;if(move_uploaded_file($temp_file,$img_path)){$is_upload = true;} else {$msg = "上传出错！";}}
}

这关和之前两个也类似，仅仅是使用函数变化，原理相同，用之前的图片马上传+文件包含漏洞即可利用

exif_imagetype() 是 PHP 中用于快速确定图像类型的函数。它通过读取图像文件的前几个字节来检测图像的类型，并返回一个与图像类型对应的常量值

Pass-17（二次渲染绕过）

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])){// 获得上传文件的基本信息，文件名，类型，大小，临时文件路径$filename = $_FILES['upload_file']['name'];$filetype = $_FILES['upload_file']['type'];$tmpname = $_FILES['upload_file']['tmp_name'];$target_path=UPLOAD_PATH.'/'.basename($filename);// 获得上传文件的扩展名$fileext= substr(strrchr($filename,"."),1);//判断文件后缀与类型，合法才进行上传操作if(($fileext == "jpg") && ($filetype=="image/jpeg")){if(move_uploaded_file($tmpname,$target_path)){//使用上传的图片生成新的图片$im = imagecreatefromjpeg($target_path);if($im == false){$msg = "该文件不是jpg格式的图片！";@unlink($target_path);}else{//给新图片指定文件名srand(time());$newfilename = strval(rand()).".jpg";//显示二次渲染后的图片（使用用户上传图片生成的新图片）$img_path = UPLOAD_PATH.'/'.$newfilename;imagejpeg($im,$img_path);@unlink($target_path);$is_upload = true;}} else {$msg = "上传出错！";}}else if(($fileext == "png") && ($filetype=="image/png")){if(move_uploaded_file($tmpname,$target_path)){//使用上传的图片生成新的图片$im = imagecreatefrompng($target_path);if($im == false){$msg = "该文件不是png格式的图片！";@unlink($target_path);}else{//给新图片指定文件名srand(time());$newfilename = strval(rand()).".png";//显示二次渲染后的图片（使用用户上传图片生成的新图片）$img_path = UPLOAD_PATH.'/'.$newfilename;imagepng($im,$img_path);@unlink($target_path);$is_upload = true;               }} else {$msg = "上传出错！";}}else if(($fileext == "gif") && ($filetype=="image/gif")){if(move_uploaded_file($tmpname,$target_path)){//使用上传的图片生成新的图片$im = imagecreatefromgif($target_path);if($im == false){$msg = "该文件不是gif格式的图片！";@unlink($target_path);}else{//给新图片指定文件名srand(time());$newfilename = strval(rand()).".gif";//显示二次渲染后的图片（使用用户上传图片生成的新图片）$img_path = UPLOAD_PATH.'/'.$newfilename;imagegif($im,$img_path);@unlink($target_path);$is_upload = true;}} else {$msg = "上传出错！";}}else{$msg = "只允许上传后缀为.jpg|.png|.gif的图片文件！";}
}

imagecreatefromgif（）函数：会将上传的图片中的内容打乱，（则一句话木马也被打乱）生成 一张新的图片，但是看不出来改变了

将图片马上传成功后下载下来，进行对比，找到文件前后内部编码没有改变的部分，然后我们在上传前文件中没有改变部分中加入代码

可以借用工具（如：winhex（不怎么好用））