00截断（CVE-2015-2348）

参考

• https://www.thinkings.org/2015/04/03/CVE-2015-2348.html

利用条件

• PHP5.4.x<= 5.4.39
• PHP5.5.x<= 5.5.23
• PHP5.6.x <= 5.6.7
• 使用$_REQUEST、$_POST、$_GET获取move_uploaded_file的目标路径

利用

<?php
error_reporting(0);

$upload_name=$_FILES['file']['name'];
$type=substr($upload_name,strrpos($upload_name,'.')+1);

if($type == "jpg" || $type == "png" || $type == "gif"){

    $address=$_POST['address'].".".$type;
    if (move_uploaded_file($_FILES['file']['tmp_name'],"tmp/".$address)) {
        echo "图片地址:tmp/".$address;
    }

}else{
echo "上传类型错误!";
}
?>