1.js 验证

修改js

2.后缀名黑名单

比如：

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

语言可解析后缀

|asp/aspx|asp,aspx,asa,asax,ascx,ashx,asmx,cer,aSp,aSpx,aSa,aSax,aScx,aShx,aSmx,cEr| |php|php,php5,php4,php3,php2,pHp,pHp5,pHp4,pHp3,pHp2,html,htm,phtml,pht,Html,Htm,pHtml| |jsp|jsp,jspa,jspx,jsw,jsv,jspf,jtml,jSp,jSpx,jSpa,jSw,jSv,jSpf,jHtml|

大小写，双写替换，加空格 test.php空格

3.后缀名白名单

%00 截断 绕过白名单

双重扩展来上传文件（shell.jpg.php）。

4. MIMETYPE 类型检查

content-type 校验

5.头文件检查

 IF89a 判断是否是图片文件

6.命名规则

（1）上传不符合windows文件命名规则的文件名

　　test.asp.

　　test.asp(空格)

　　test.php:1.jpg

　　test.php::$DATA

　　shell.php::$DATA…….

会被windows系统自动去掉不符合规则符号后面的内容。

（2）linux下后缀名大小写

在linux下，如果上传php不被解析，可以试试上传pHp后缀的文件名。

7.解析漏洞

x.php.zz.xx apache 会从右到左解析直到遇到能解析的后缀

1.IIS6.0在解析asp时有两个解析漏洞，一个是如果任意目录名包含.asp字符串，那么这个目录下的所有文件都会按照asp去解析，另一个是文件名中含有asp;就会优先当作asp来解析

2.IIS7.0/7.5对php解析有类似Nginx的解析漏洞只要对任意文件名在url后面追加上字符串/任意文件名.php就会按照php去解析