DVWA平台
上传漏洞攻击手法
本地端js验证(本地端验证,下为服务端验证)可用浏览器关闭:判断:错误提示很快;审查元素看有无js代码
.htaccess 绕过限制上传,依据文件名包含的字符自定义解析文件。如下,只要文件名含php.gif就能解析该文件成php执行
%00截断上传(%00截断规则:地址如遇上%00字符会自动截断.注意:使用%00截断时,务必将字符串%00采用url编码后上传.)
文件头修改(老方式,同一类型的文件的文件头相同)
文件类型修改
Upload上传低等级代码
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename( $_FILES['uploaded']['name']); if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } ?>
Isset:是否设置,是否存在
$_FILES:文件上传专用接受变量
move_uploaded_file:移动文件函数
$_FILES['uploaded']['name']:获取上传文件的名字
1.没有验证文件上传类型,后缀名
2.上传文件中客户端和服务端命名一致
Upload上传中等级代码
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
<?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename($_FILES['uploaded']['name']); $uploaded_name = $_FILES['uploaded']['name']; $uploaded_type = $_FILES['uploaded']['type']; $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } else{ echo '<pre>Your image was not uploaded.</pre>'; } } ?>
$_FILES['uploaded']['type'];:获取上传文件的类型
$_FILES['uploaded']['size']; :获取上传文件的大小
Upload上传高级代码(截取最后一个点后的字符串;识别%00)
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
File Upload Source <?php if (isset($_POST['Upload'])) { $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; $target_path = $target_path . basename($_FILES['uploaded']['name']); $uploaded_name = $_FILES['uploaded']['name']; $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } else { echo '<pre>'; echo $target_path . ' succesfully uploaded!'; echo '</pre>'; } } else{ echo '<pre>'; echo 'Your image was not uploaded.'; echo '</pre>'; } } ?>
burpsuite:
%00截断上传:
正常文件地址:
截断文件地址:
www.xxx.com/image/qq.asp%00.jpg = www.xxx.com/image/qq.asp
经验:
编辑器上传功能一般不要去尝试上传突破,没漏洞.
采用网站自身的上传应用,尝试上传突破