求助：某系统文件上传绕过

ikun · 2020 年8 月 4 日 21:27

{
$data['code'] = 0;
$data['msg'] = '';
nid = isset(_POST['nid'])? $_POST['nid'] : '';
merchantCert = _FILES["merchantCert"];
platformCert = _FILES["platformCert"];

    //上传商户私钥证书
    if (!empty($merchantCert['name']) && $merchantCert["error"] == 0) {
        $arrMerchantCertName = explode('.',$merchantCert['name']);
        
        if (end($arrMerchantCertName) == 'pfx' || end($arrMerchantCertName) == 'pem') {
            if ($platformCert["size"] > 600000) {
                $data['msg'] = '用户私钥证书太大';
            }else { 
                $path = 'up_files/certs';

                if(!is_dir(S_ROOT . $path)) {
                    mkdir($path,0777,true);
                }
                
                $merchantCertPath = $path . '/' . $nid . '_merchant_cert.' . end($arrMerchantCertName);
                if (move_uploaded_file($merchantCert["tmp_name"], S_ROOT . $merchantCertPath)) {
                   $data['code'] = 1;
                   $data['msg']  = '用户私钥证书上传成功！';
                   $data['data']['path'] = '/' . $merchantCertPath; 
                }else {
                    $data['msg'] = '用户私钥证书上传错误';
                }
            }
        }else {
            $data['msg'] = '用户私钥证书格式错误';
        }
    }
    
    //上传平台公钥证书
    if (!empty($platformCert['name']) && $platformCert["error"] == 0) {
        $arrPlatformCertName = explode('.',$platformCert['name']);
        
        if (end($arrPlatformCertName) == 'cer' || end($arrPlatformCertName) == 'pem') {
            if ($platformCert["size"] > 600000) {
                $data['msg'] = '平台公钥证书太大';
            }else {
                $path = 'up_files/certs';
                
                if(!is_dir(S_ROOT . $path)) {
                    mkdir($path,0777,true);
                }
                $platformCertPath = $path . '/' . $nid . '_server_cert.' . end($arrPlatformCertName);
                
                if (move_uploaded_file($platformCert["tmp_name"], S_ROOT . $platformCertPath)) {
                    $data['code'] = 1;
                    $data['msg']  = '平台公钥证书上传成功！';
                    $data['data']['path'] = '/' . $platformCertPath;
                }else {
                    $data['msg'] = '平台公钥证书上传错误';
                }
            }
        }else {
            $data['msg'] = '平台公钥证书格式错误';
        }
    }

    echo jsonReturn($data);
}

$merchantCert $platformCert 为可控参数。
如何突破上传文件
目标环境：linux 宝塔 nginx1.8.0 php7.0 含waf

ikun · 2020 年8 月 4 日 21:32

后缀为.号分割后的字符，但是

if (end($arrPlatformCertName) == 'cer' || end($arrPlatformCertName) == 'pem') {
进不去，无法获取系统后缀

已尝试1.php/xxx.pem （windows下可用）
还有什么骚姿势可行？