1.js 驗證

修改js

2.后綴名黑名單

比如：

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

語言可解析后綴

|asp/aspx|asp,aspx,asa,asax,ascx,ashx,asmx,cer,aSp,aSpx,aSa,aSax,aScx,aShx,aSmx,cEr| |php|php,php5,php4,php3,php2,pHp,pHp5,pHp4,pHp3,pHp2,html,htm,phtml,pht,Html,Htm,pHtml| |jsp|jsp,jspa,jspx,jsw,jsv,jspf,jtml,jSp,jSpx,jSpa,jSw,jSv,jSpf,jHtml|

大小寫，雙寫替換，加空格 test.php空格

3.后綴名白名單

%00 截斷 繞過白名單

雙重擴展來上傳文件（shell.jpg.php）。

4. MIMETYPE 類型檢查

content-type 校驗

5.頭文件檢查

 IF89a 判斷是否是圖片文件

6.命名規(guī)則

（1）上傳不符合windows文件命名規(guī)則的文件名

　　test.asp.

　　test.asp(空格)

　　test.php:1.jpg

　　test.php::$DATA

　　shell.php::$DATA…….

會被windows系統(tǒng)自動去掉不符合規(guī)則符號后面的內容。

（2）linux下后綴名大小寫

在linux下，如果上傳php不被解析，可以試試上傳pHp后綴的文件名。

7.解析漏洞

x.php.zz.xx apache 會從右到左解析直到遇到能解析的后綴

1.IIS6.0在解析asp時有兩個解析漏洞，一個是如果任意目錄名包含.asp字符串，那么這個目錄下的所有文件都會按照asp去解析，另一個是文件名中含有asp;就會優(yōu)先當作asp來解析

2.IIS7.0/7.5對php解析有類似Nginx的解析漏洞只要對任意文件名在url后面追加上字符串/任意文件名.php就會按照php去解析