首先，查看过滤代码

$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");

$file_name = $_FILES['upload_file']['name'];

$file_name = deldot($file_name);//删除文件名末尾的点

$file_ext = strrchr($file_name, '.');

$file_ext = strtolower($file_ext); //转换为小写

$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA

if (!in_array($file_ext, $deny_ext)) {

if (move_uploaded_file($_FILES['upload_file']['tmp_name'], $UPLOAD_ADDR . '/' . $_FILES['upload_file']['name'])) {

$img_path = $UPLOAD_ADDR . '/' . $file_name;

$is_upload = true;

}

} else {

$msg = '此文件不允许上传';

}

相对于第五关的过滤还少了一些，相同的黑名单，但是相比于第五关，这里仅仅删除了文件名后的.，并没有删除空格，所以可以上传一个后缀名为php+空格的文件去绕过黑名单，windows在创建文件时会自动删掉最后的空格

可以看到成功绕过这里的上传检测