It does seem to work, here's where I have my question. I changed the file extension to file.php.jpg to see if it could bypass it and it did upload. When I browse to it though I get this:<?php
$blacklist = array(".php", ".phtml");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
It just prints out the path for some reason..
So I have two questions, why does that happen? Is there a way to get this to upload and parse it as a PHP file instead of an image? I mean so it actually executes the shell. And if there is what other precautions can you take to prevent people from uploading these shells? Thanks for any help, I'm trying to understand both sides here. I'm using PHP 5.3.1 by the way.