第二节 文件上传基础漏洞(中安全版)
在低安全版可以上传的shell1.php,在中安全版上传失败。原因是对MIME类型进行了限制。PHP代码如下:
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
#上传失败的原因是中安全版对MIME类型和大小的限制。
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
?
补充MIME知识:
中安全版解决方案——使用burpsuite代理拦截
1)设置火狐代理服务器
在设置-网络-高级
刷新显示
2)在kali linux 中启动 burp suite
拦截proxy :通过handler中重载的方法,阻止掉获取target的内容。
在上传b.php文件前启动代理服务器,查看代码:
filename=‘b.php’
修改Content-Tape为image/jpeg
成功