进入靶场环境，查看源码

我们对代码进行分析

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {/*判断是否定义变量submit*/
    if (file_exists(UPLOAD_PATH)) {/*判断UPLOAD_PATH路径是否正确或文件是否存在*/
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini");
        $file_name = trim($_FILES['upload_file']['name']);/*检查上传的文件名*/
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');/*截取.后的所有字符*/
        $file_ext = strtolower($file_ext); //转换为小写
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //收尾去空

        if (!in_array($file_ext, $deny_ext)) {//判断$deny_ext中是否有$file_ext
            $temp_file = $_FILES['upload_file']['tmp_name'];/*将上传文件的临时路径赋值给$temp_file*/
            $img_path = UPLOAD_PATH.'/'.$file_name;/*UPLOAD_PATH/.$file_name*/
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件不允许上传!';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}

分析代码发现依旧是黑名单过滤，禁止我们上传黑名单内的后缀。后面的判断语句也使我们无从下手，这是就应想到.htaccess解析，但它只支持apache应用。它是apache伪静态的说明。

我们创建一个.htaccess的文件并上传到靶场

<FilesMatch "shana">
SetHandler application/x-httpd-php
</FilesMatch>

上传成功，接下来我们创建一个一句话木马并命名为shana。

上传到靶场环境

可以看到上传成功，我们访问这个文件并触发一句话木马，看一句话木马是否可以正常调用

可以正常调用，说明我们上传的.htaccess文件被执行，将jpg文件里的php代码也可以被执行。