DVWA-File Upload

Low

后端代码没有对上传的文件做任何过滤,所以可以上传一句话木马。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// Can we move the file to the upload folder?
	if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
		// No
		$html .= '<pre>Your image was not uploaded.</pre>';
	}
	else {
		// Yes!
		$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
	}
}

?>

在PHP中,$_FILES 是一个全局数组,用于处理通过HTML表单上传的文件。每个上传的文件在 $_FILES 数组中都有自己的子数组,包含文件的各种信息。

php 复制代码
$_FILES 各项属性的详细说明
$_FILES['uploaded']['name']:上传文件的原始名称。

$_FILES['uploaded']['type']:上传文件的MIME类型(如 image/jpeg),由浏览器提供。

$_FILES['uploaded']['tmp_name']:上传文件在服务器上的临时文件路径。

$_FILES['uploaded']['error']:上传过程中可能发生的错误代码。
常见的错误代码:
UPLOAD_ERR_OK (0): 没有错误,文件上传成功。
UPLOAD_ERR_INI_SIZE (1): 上传文件超过了 php.ini 中 upload_max_filesize 选项限制的值。
UPLOAD_ERR_FORM_SIZE (2): 上传文件超过了HTML表单中 MAX_FILE_SIZE 选项指定的值。
UPLOAD_ERR_PARTIAL (3): 文件只有部分被上传。
UPLOAD_ERR_NO_FILE (4): 没有文件被上传。
UPLOAD_ERR_NO_TMP_DIR (6): 找不到临时文件夹。
UPLOAD_ERR_CANT_WRITE (7): 文件写入失败。
UPLOAD_ERR_EXTENSION (8): 文件上传被PHP扩展程序中断。

$_FILES['uploaded']['size']:上传文件的大小,以字节为单位。

Medium

观察后端代码,对上传文件的MIME类型,大小进行了限制。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

	// Is it an image?
	if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
		( $uploaded_size < 100000 ) ) {

		// Can we move the file to the upload folder?
		if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}
		else {
			// Yes!
			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
		}
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

?>

我们可以通过burp抓包之后,修改对应参数进行绕过

上传成功

High

观察后端代码,对上传文件的后缀,文件头进行了过滤。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

	// Is it an image?
	if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
		( $uploaded_size < 100000 ) &&
		getimagesize( $uploaded_tmp ) ) {

		// Can we move the file to the upload folder?
		if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}
		else {
			// Yes!
			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
		}
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

?>

文件头绕过记录两种方法

1.把shell.php和一张图片放在一起,执行copy命令,如图

2.用十六进制软件直接在文件开头加上文固定内容的文件头

之后直接上传

上传之后都结合文件包含漏洞High Level执行DVWA-File Inclusion(因为要将png后缀图片按php文件解析)

http://192.168.20.156/DVWA/vulnerabilities/fi/?page=file:///C:\\phpstudy_pro\\WWW\\DVWA\\hackable\\uploads\\shell.png

上传之后用蚁剑连接,直接连接是显示不成功,是因为没有cookie。

之后浏览网站,进入网站修改难度为high(因为DVWA默认难度为impossible难度没法绕过)并保存cookie。

Impossible

观察后端源码发现,对文件内容进行了严格地检查,对文件进行重命名,文件大小后缀都进行了限制,同时加入token。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Check Anti-CSRF token
	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );


	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

	// Where are we going to be writing to?
	$target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
	//$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
	$target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
	$temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
	$temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;

	// Is it an image?
	if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
		( $uploaded_size < 100000 ) &&
		( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
		getimagesize( $uploaded_tmp ) ) {

		// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
		if( $uploaded_type == 'image/jpeg' ) {
			$img = imagecreatefromjpeg( $uploaded_tmp );
			imagejpeg( $img, $temp_file, 100);
		}
		else {
			$img = imagecreatefrompng( $uploaded_tmp );
			imagepng( $img, $temp_file, 9);
		}
		imagedestroy( $img );

		// Can we move the file to the web root from the temp folder?
		if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
			// Yes!
			$html .= "<pre><a href='{$target_path}{$target_file}'>{$target_file}</a> succesfully uploaded!</pre>";
		}
		else {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}

		// Delete any temp files
		if( file_exists( $temp_file ) )
			unlink( $temp_file );
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

// Generate Anti-CSRF token
generateSessionToken();

?>
相关推荐
Hacker_LaoYi2 小时前
网络安全与加密
安全·web安全
黑客Ash13 小时前
【D01】网络安全概论
网络·安全·web安全·php
.Ayang15 小时前
SSRF漏洞利用
网络·安全·web安全·网络安全·系统安全·网络攻击模型·安全架构
.Ayang15 小时前
SSRF 漏洞全解析(概述、攻击流程、危害、挖掘与相关函数)
安全·web安全·网络安全·系统安全·网络攻击模型·安全威胁分析·安全架构
网络安全-老纪15 小时前
iOS应用网络安全之HTTPS
web安全·ios·https
Mr.Pascal16 小时前
刚学php序列化/反序列化遇到的坑(攻防世界:Web_php_unserialize)
开发语言·安全·web安全·php
dot.Net安全矩阵18 小时前
.NET 通过模块和驱动收集本地EDR的工具
windows·安全·web安全·.net·交互
Hacker_Oldv19 小时前
网络安全的学习路线
学习·安全·web安全
黑客Ash19 小时前
计算机中的网络安全
网络·安全·web安全