DVWA-File Upload

Low

后端代码没有对上传的文件做任何过滤,所以可以上传一句话木马。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// Can we move the file to the upload folder?
	if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
		// No
		$html .= '<pre>Your image was not uploaded.</pre>';
	}
	else {
		// Yes!
		$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
	}
}

?>

在PHP中,_FILES 是一个全局数组,用于处理通过HTML表单上传的文件。每个上传的文件在 _FILES 数组中都有自己的子数组,包含文件的各种信息。

php 复制代码
$_FILES 各项属性的详细说明
$_FILES['uploaded']['name']:上传文件的原始名称。

$_FILES['uploaded']['type']:上传文件的MIME类型(如 image/jpeg),由浏览器提供。

$_FILES['uploaded']['tmp_name']:上传文件在服务器上的临时文件路径。

$_FILES['uploaded']['error']:上传过程中可能发生的错误代码。
常见的错误代码:
UPLOAD_ERR_OK (0): 没有错误,文件上传成功。
UPLOAD_ERR_INI_SIZE (1): 上传文件超过了 php.ini 中 upload_max_filesize 选项限制的值。
UPLOAD_ERR_FORM_SIZE (2): 上传文件超过了HTML表单中 MAX_FILE_SIZE 选项指定的值。
UPLOAD_ERR_PARTIAL (3): 文件只有部分被上传。
UPLOAD_ERR_NO_FILE (4): 没有文件被上传。
UPLOAD_ERR_NO_TMP_DIR (6): 找不到临时文件夹。
UPLOAD_ERR_CANT_WRITE (7): 文件写入失败。
UPLOAD_ERR_EXTENSION (8): 文件上传被PHP扩展程序中断。

$_FILES['uploaded']['size']:上传文件的大小,以字节为单位。

Medium

观察后端代码,对上传文件的MIME类型,大小进行了限制。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

	// Is it an image?
	if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
		( $uploaded_size < 100000 ) ) {

		// Can we move the file to the upload folder?
		if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}
		else {
			// Yes!
			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
		}
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

?>

我们可以通过burp抓包之后,修改对应参数进行绕过

上传成功

High

观察后端代码,对上传文件的后缀,文件头进行了过滤。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

	// Is it an image?
	if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
		( $uploaded_size < 100000 ) &&
		getimagesize( $uploaded_tmp ) ) {

		// Can we move the file to the upload folder?
		if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}
		else {
			// Yes!
			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
		}
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

?>

文件头绕过记录两种方法

1.把shell.php和一张图片放在一起,执行copy命令,如图

2.用十六进制软件直接在文件开头加上文固定内容的文件头

之后直接上传

上传之后都结合文件包含漏洞High Level执行DVWA-File Inclusion(因为要将png后缀图片按php文件解析)

http://192.168.20.156/DVWA/vulnerabilities/fi/?page=file:///C:\\phpstudy_pro\\WWW\\DVWA\\hackable\\uploads\\shell.png

上传之后用蚁剑连接,直接连接是显示不成功,是因为没有cookie。

之后浏览网站,进入网站修改难度为high(因为DVWA默认难度为impossible难度没法绕过)并保存cookie。

Impossible

观察后端源码发现,对文件内容进行了严格地检查,对文件进行重命名,文件大小后缀都进行了限制,同时加入token。

php 复制代码
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Check Anti-CSRF token
	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );


	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

	// Where are we going to be writing to?
	$target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
	//$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
	$target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
	$temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
	$temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;

	// Is it an image?
	if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
		( $uploaded_size < 100000 ) &&
		( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
		getimagesize( $uploaded_tmp ) ) {

		// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
		if( $uploaded_type == 'image/jpeg' ) {
			$img = imagecreatefromjpeg( $uploaded_tmp );
			imagejpeg( $img, $temp_file, 100);
		}
		else {
			$img = imagecreatefrompng( $uploaded_tmp );
			imagepng( $img, $temp_file, 9);
		}
		imagedestroy( $img );

		// Can we move the file to the web root from the temp folder?
		if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
			// Yes!
			$html .= "<pre><a href='{$target_path}{$target_file}'>{$target_file}</a> succesfully uploaded!</pre>";
		}
		else {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}

		// Delete any temp files
		if( file_exists( $temp_file ) )
			unlink( $temp_file );
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

// Generate Anti-CSRF token
generateSessionToken();

?>
相关推荐
星哥说事3 小时前
使用开源免费雷池WAF防火墙,接入保护你的网站
web安全·开源
浩浩测试一下3 小时前
计算机网络中的DHCP是什么呀? 详情解答
android·网络·计算机网络·安全·web安全·网络安全·安全架构
浩浩测试一下6 小时前
SQL注入高级绕过手法汇总 重点
数据库·sql·安全·web安全·网络安全·oracle·安全架构
帅云毅8 小时前
Web漏洞--XSS之订单系统和Shell箱子
前端·笔记·web安全·php·xss
迷路的小绅士9 小时前
常见网络安全攻击类型深度剖析(三):DDoS攻击——分类、攻击机制及企业级防御策略
网络·web安全·ddos
ALe要立志成为web糕手12 小时前
[BJDCTF2020]EzPHP
web安全·网络安全·php·ctf
迷路的小绅士12 小时前
常见网络安全攻击类型深度剖析(四):跨站脚本攻击(XSS)——分类、漏洞利用与前端安全防护
前端·安全·web安全
TazmiDev13 小时前
2025 XYCTF ezsql 详细教程wp
web安全·网络安全·ctf·sql注入·布尔盲注
迷路的小绅士14 小时前
网络安全概述:定义、重要性与发展历程
网络·安全·web安全
virelin_Y.lin18 小时前
系统与网络安全------弹性交换网络(2)
网络·安全·web安全·链路聚合·lacp·eth-trunk