代码:
<?php
if (empty($_FILES['inputFile'])) {
echo json_encode(['error'=>'No files found for upload.']);
return;
}
$allowedExts = array('php', 'php3', 'php4', 'php5', 'php7', 'phtml', 'cgi');
$success = false;
$output = '';
$file = $_FILES['inputFile'];
$filename = $file['name'];
$parts = explode('.', basename($filename));
$ext = end($parts);
$type = $file['type'];
$size = $file['size'];
if (in_array($ext, $allowedExts) || count($parts) > 2) {
$output = ['error'=>'How dare you do so???'];
} else {
if ($file['error'] > 0) {
$success = false;
$output = ['error' => $file['error']];
} else {
$target = 'uploads' . DIRECTORY_SEPARATOR . sha1(uniqid()) . '.' . $ext;
if ($fp = fopen($file["tmp_name"], 'r')) {
$table_change = array('<?'=>'');
$table_change += array('php' => '');
$table_change += array('script' => '');
$contents = fread($fp, filesize($file['tmp_name']));
fclose($fp);
$contents = strtr($contents, $table_change);
$fpw = fopen($target, 'w');
fwrite($fpw, $contents);
fclose($fpw);
}
$output = ['uploaded' => $target];
}
}
echo json_encode($output);
可以上传Php、phtm
等类型,过滤了<?php
等,但是可以使用<?Script language="Php">
来绕过过滤,然后就一句话木马即可