1.js
验证修改js
2.后缀名黑名单比如:
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
语言可解析后缀
|asp/aspx|asp,aspx,asa,asax,ascx,ashx,asmx,cer,aSp,aSpx,aSa,aSax,aScx,aShx,aSmx,cEr| |php|php,php5,php4,php3,php2,pHp,pHp5,pHp4,pHp3,pHp2,html,htm,phtml,pht,Html,Htm,pHtml| |jsp|jsp,jspa,jspx,jsw,jsv,jspf,jtml,jSp,jSpx,jSpa,jSw,jSv,jSpf,jHtml|
大小写,双写替换,加空格 test.php空格
3.后缀名白名单%00 截断 绕过白名单
双重扩展来上传文件(shell.jpg.php)。
- MIMETYPE 类型检查content-type 校验
5.头文件检查 IF89a 判断是否是图片文件
6.命名规则
(1)上传不符合windows文件命名规则的文件名
test.asp.
test.asp(空格)
test.php:1.jpg
test.php::$DATA
shell.php::$DATA…….
会被windows系统自动去掉不符合规则符号后面的内容。
(2)linux下后缀名大小写
在linux下,如果上传php不被解析,可以试试上传pHp后缀的文件名。
7.解析漏洞x.php.zz.xx apache 会从右到左解析直到遇到能解析的后缀
1.IIS6.0在解析asp时有两个解析漏洞,一个是如果任意目录名包含.asp字符串,那么这个目录下的所有文件都会按照asp去解析,另一个是文件名中含有asp;就会优先当作asp来解析
2.IIS7.0/7.5对php解析有类似Nginx的解析漏洞只要对任意文件名在url后面追加上字符串/任意文件名.php就会按照php去解析