打开靶机即源码
<?php
if (isset($_FILES["file"]["tmp_name"])) {
$file = fopen($_FILES["file"]["tmp_name"], "r");
$data = fread($file, filesize($_FILES["file"]["tmp_name"]));
$arr = json_decode($data, true, 2);
if (json_last_error() != JSON_ERROR_NONE) {
die("JsonErr"); }
if (count($arr) != 1) {
die("DataErr"); }
$data = $arr['data'];
$len = strlen($data);
if ($len > 56) {
die("Long");
}
if (preg_match("/[\[\]`'^=\/\\$.;]+/", $data)) {
die("no");
}
$name = mt_rand();
$ext = strrchr($_FILES['file']['name'], '.');
$ext = trim($ext);
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $name . $ext);
echo "upload/" . $name . $ext;
} else {
highlight_file(__FILE__);
}