[基本实验] Web漏洞演示系统中的上传漏洞
LOW LEVEL:
直接上传webshell就成功了。
保存到的路径为C:\wamp\www\dvwa\hackable\uploads
![[基本实验] Web漏洞演示系统中的上传漏洞_第1张图片](http://img.e-com-net.com/image/info5/d50bf4dd0f2d4aa0957390677763a6b6.jpg)
![[基本实验] Web漏洞演示系统中的上传漏洞_第2张图片](http://img.e-com-net.com/image/info5/271d285fbefd468d8df458b2287d8630.jpg)
HIGH LEVEL:
检查是否限制了后缀名
先看看是不是黑名单机制,将ma2.php分别改写为ma2.php.rar;ma2.pHp;ma2.php.和ma2.php[空格],这些操作需要在Burp上完成。结果失败。
检查是否检查了MIME,还是先上传ma2.jpg,这样Content-Type已经是image类型了,随后将后缀改回到php。结果失败。
看是否检查了文件头,利用COPY命令将图片和木马结合,命名为jpg文件,随后在Burp中改回到php。结果失败。
![[基本实验] Web漏洞演示系统中的上传漏洞_第3张图片](http://img.e-com-net.com/image/info5/2c9888ca6db54f8f9d91d6738c403629.jpg)
查看源代码得知,其检查了上传文件的后缀名仅为jpg,JPG,jpeg,JPEG才可以上传成功。
在此php环境下,这种方式是无法再绕过了。
直接上传webshell就成功了。
保存到的路径为C:\wamp\www\dvwa\hackable\uploads
MID LEVEL:
直接上传webshell不成功,会显示“Your image was not uploaded.”先将ma2.php的后缀改为jpg,然后上传,在Burp中将后缀名再改回到php。
也可以直接上传ma2.php,然后在Burp中将Content-Type:image/jpeg。
成功
HIGH LEVEL:
检查是否限制了后缀名
先看看是不是黑名单机制,将ma2.php分别改写为ma2.php.rar;ma2.pHp;ma2.php.和ma2.php[空格],这些操作需要在Burp上完成。结果失败。
检查是否检查了MIME,还是先上传ma2.jpg,这样Content-Type已经是image类型了,随后将后缀改回到php。结果失败。
看是否检查了文件头,利用COPY命令将图片和木马结合,命名为jpg文件,随后在Burp中改回到php。结果失败。
查看源代码得知,其检查了上传文件的后缀名仅为jpg,JPG,jpeg,JPEG才可以上传成功。
在此php环境下,这种方式是无法再绕过了。
但是在asp环境下,可以将上级目录命名为*.asp,然后让jpg以asp文件执行。
后记:
<?php
#LOW LEVEL
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
?>
<?php
#MID LEVEL
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
?>
<?php
#HIGH LEVEL
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
}
}
?>