0

I RENT a website, i found a position that i can control the var from $_GET and then the server will exec the function "move_uploaded_file(filename,destination)", the question is how to cut off the '.jpg', thanks a lot.

the php version is 5.6.40 or heigher the os is cloudlinux , centos7.6

$temp_str = $_GET['str'];
$destination = '/tmp/'.$temp_str.'.jpg';
move_uploaded_file(filename,$destination);
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
tom9527
  • 1
  • Wouldn't it be simpler to just remove the `.'.jpg'` from `$destination = '/tmp/'.$temp_str.'.jpg';` – RiggsFolly Jul 04 '19 at 10:43
  • @RiggsFolly Yeah, exactly what I though. Unless both of us are missing something. What do you expect $temp_str to look like, and do you do any validation besides this? – neoto Jul 04 '19 at 10:45
  • just about CTF,i tried "test.php\x00.jpg",burp hex "20"=>"00",before php 5.6.7 it can work,but after, doesn't work。 – tom9527 Jul 04 '19 at 10:55
  • i tried all the way in this post (https://www.acunetix.com/websitesecurity/upload-forms-threat/) ,doesn't work... – tom9527 Jul 04 '19 at 11:14
  • Possible duplicate of https://stackoverflow.com/questions/2183486/php-get-file-name-without-file-extension. You need to use php function to get filename without extension – Esar-ul-haq Qasmi Jul 04 '19 at 11:51
  • eeeeeeeeeeeeeee... – tom9527 Jul 06 '19 at 03:22

0 Answers0