DVWA平台漏洞测试平台__上传漏洞

DVWA平台

上传漏洞攻击手法

本地端js验证（本地端验证，下为服务端验证）可用浏览器关闭：判断：错误提示很快；审查元素看有无js代码

.htaccess 绕过限制上传，依据文件名包含的字符自定义解析文件。如下，只要文件名含php.gif就能解析该文件成php执行

%00截断上传(%00截断规则：地址如遇上%00字符会自动截断.注意：使用%00截断时，务必将字符串%00采用url编码后上传.)

文件头修改(老方式，同一类型的文件的文件头相同)

文件类型修改

Upload上传低等级代码

php
    if (isset($_POST['Upload'])) {

            $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
            $target_path = $target_path . basename( $_FILES['uploaded']['name']);

            if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
                
                echo '
';
                echo 'Your image was not uploaded.';
                echo '';
                
              } else {
            
                echo '
';
                echo $target_path . ' succesfully uploaded!';
                echo '';
                
            }

        }
?> 

View Code

Isset：是否设置，是否存在

$_FILES：文件上传专用接受变量

move_uploaded_file：移动文件函数

$_FILES['uploaded']['name']：获取上传文件的名字

1.没有验证文件上传类型，后缀名

2.上传文件中客户端和服务端命名一致

Upload上传中等级代码

php
    if (isset($_POST['Upload'])) {

            $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
            $target_path = $target_path . basename($_FILES['uploaded']['name']);
            $uploaded_name = $_FILES['uploaded']['name'];
            $uploaded_type = $_FILES['uploaded']['type'];
            $uploaded_size = $_FILES['uploaded']['size'];

            if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){


                if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
                
                    echo '
';
                    echo 'Your image was not uploaded.';
                    echo '';
                    
                  } else {
                
                    echo '
';
                    echo $target_path . ' succesfully uploaded!';
                    echo '';
                    
                    }
            }
            else{
                echo '
Your image was not uploaded.';
            }
        }
?> 

View Code

$_FILES['uploaded']['type'];：获取上传文件的类型

$_FILES['uploaded']['size']; ：获取上传文件的大小

Upload上传高级代码（截取最后一个点后的字符串；识别%00）

File Upload Source
php
if (isset($_POST['Upload'])) {

            $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
            $target_path = $target_path . basename($_FILES['uploaded']['name']);
            $uploaded_name = $_FILES['uploaded']['name'];
            $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
            $uploaded_size = $_FILES['uploaded']['size'];

            if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){


                if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
                    
                    echo '
';
                    echo 'Your image was not uploaded.';
                    echo '';
                
                  } else {
                
                    echo '
';
                    echo $target_path . ' succesfully uploaded!';
                    echo '';
                    
                    }
            }
            
            else{
                
                echo '
';
                echo 'Your image was not uploaded.';
                echo '';

            }
        }

?>

View Code

 burpsuite:

%00截断上传：

正常文件地址：

www.xxx.com/image/qq.jpg

截断文件地址：

www.xxx.com/image/qq.asp%00.jpg = www.xxx.com/image/qq.asp 

 

经验：

编辑器上传功能一般不要去尝试上传突破，没漏洞.

采用网站自身的上传应用，尝试上传突破

 

转载于:https://www.cnblogs.com/hyit/articles/5363400.html