CTF web题总结--上传文件绕过

代码：

<?phpif (empty($_FILES['inputFile'])) {    echo json_encode(['error'=>'No files found for upload.']);     return;}$allowedExts = array('php', 'php3', 'php4', 'php5', 'php7', 'phtml', 'cgi');$success = false;$output = '';$file = $_FILES['inputFile'];$filename = $file['name'];$parts = explode('.', basename($filename));$ext = end($parts);$type = $file['type'];$size = $file['size'];if (in_array($ext, $allowedExts) || count($parts) > 2) {    $output = ['error'=>'How dare you do so???'];} else {    if ($file['error'] > 0) {        $success = false;        $output = ['error' => $file['error']];    } else {        $target = 'uploads' . DIRECTORY_SEPARATOR . sha1(uniqid()) . '.' . $ext;        if ($fp = fopen($file["tmp_name"], 'r')) {            $table_change = array('<?'=>'');            $table_change += array('php' => '');            $table_change += array('script' => '');            $contents = fread($fp, filesize($file['tmp_name']));            fclose($fp);            $contents = strtr($contents, $table_change);            $fpw = fopen($target, 'w');            fwrite($fpw, $contents);            fclose($fpw);        }        $output = ['uploaded' => $target];    }}echo json_encode($output);

可以上传Php、phtm等类型，过滤了<?php等，但是可以使用<?Script language="Php">来绕过过滤，然后就一句话木马即可