1、MIME说明
image.png
image.png
image.png
查询方法:
https://www.w3school.com.cn/media/media_mimeref.asp
2、漏洞源码
<?php
/**
* Created by 独自等待
* Date: 14-1-22
* Time: 下午8:35
* Name: upload2.php
* 独自等待博客:http://www.waitalone.cn/
*/
//文件上传漏洞演示脚本之MIME验证
$uploaddir = 'uploads/';
if (isset($_POST['submit'])) {
if (file_exists($uploaddir)) {
if (($_FILES['upfile']['type'] == 'image/gif') || ($_FILES['upfile']['type'] == 'image/jpeg') ||
($_FILES['upfile']['type'] == 'image/png') || ($_FILES['upfile']['type'] == 'image/bmp')
) {
if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir . '/' . $_FILES['upfile']['name'])) {
echo '文件上传成功,保存于:' . $uploaddir . $_FILES['upfile']['name'] . "n";
}
} else {
echo '文件类型不正确,请重新上传!' . "n";
}
} else {
exit($uploaddir . '文件夹不存在,请手工创建!');
}
//print_r($_FILES);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=gbk"/>
<meta http-equiv="content-language" content="zh-CN"/>
<title>文件上传漏洞演示脚本--MIME验证实例</title>
<body>
<h3>文件上传漏洞演示脚本--MIME验证实例</h3>
<form action="" method="post" enctype="multipart/form-data" name="upload">
请选择要上传的文件:<input type="file" name="upfile"/>
<input type="submit" name="submit" value="上传"/>
</form>
</body>
</html>
3、上传php文件类型失败
image.png
4、再次上传,通过burp抓包
image.png
5、修改文件类型
图片文件的类型
image.png
修改上传文件upload.php的文件类型
image.png
上传成功
image.png
