However an exercise I do not manage to resolve, I have to bypass a check of extension of a form in PHP.
It turns out that just the extension is verified, but certain special characters are replaced what makes that even by trying the following combinations, it does not work.
test.php%00.png
test.php:.png
test.php$.png
I specify, these names of files bypass well and truly the check of files. But as this one is then renamed, he returns to the state of PNG. For example, with one of the examples higher, the file is going to be renamed as follows: 556112012015test.php-.png
The purpose is relatively simple... I am supposed to send on the server a executable file PHP. But I have to admit that I do not find. I have a part of sources to use, here is :
<?php
if (isset($_POST['upload'])) {
$taille_maxi = 10000000;
$content_dir = "./upload/";
$name_file = $_FILES['fichier']['name'];
$name_file = strtr($name_file, 'ÀÁÂÃÄÅÇÈÉÊËÌÍÎÏÒÓÔÕÖÙÚÛÜÝàáâãäåçèéêëìíîïðòóôõöùúûüýÿ', 'AAAAAACEEEEIIIIOOOOOUUUUYaaaaaaceeeeiiiioooooouuuuyy');
$name_file = preg_replace('/([^.a-z0-9]+)/i', '-', $name_file);
if (file_exists($content_dir . $name_file)) {
chmod($content_dir . $name_file, 0777);
unlink($content_dir . $name_file);
}
$tmp_file = $_FILES['fichier']['tmp_name'];
$taille = filesize($_FILES['fichier']['tmp_name']);
include_once("upload/filtre.php"); # missing part sources !
if (!move_uploaded_file($tmp_file, $content_dir . $name_file)) {
exit("unable upload image");
}
chmod($content_dir . $name_file, 0777);
$url = 'http://' . $_SERVER['SERVER_NAME'] . substr($_SERVER['REQUEST_URI'], 0, strlen($_SERVER['REQUEST_URI']) - 4) . '/' . $name_file;
echo "<a href='" . $url . "'>" . $url . "</a>";
}
?>
As it is an exercise, there is necessarily a way to exploit it. But I do not find..
Thanks,
Aucun commentaire:
Enregistrer un commentaire