DVWA之File Upload–文件上传

1、file upload文件上传,测试界面

fu1

2、security=low时的上传

(1)直接上传php一句话木马,没有过滤,上传成功,根据提示路径链接菜刀

fu2

(2)菜刀链接,webshell拿到

fu3

3、security=medium时的上传

(1)直接上传php格式文件,上传失败

fu9

(2)测试上传图片格式文件,上传成功

fu10

(3)使用Burp Suite工具进行两次抓包,在compare中比较

fu4

(4)重新上传php木马,修改content-type属性,上传成功

fu5

fu6

 

fu7

(5)菜刀链接,拿到webshell

fu8

下面分析源代码:

1、Low File Upload Source

<?php 
    if (isset($_POST['Upload'])) { 

            $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; 
            $target_path = $target_path . basename( $_FILES['uploaded']['name']); 

            if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { 
                 
                echo '<pre>'; 
                echo 'Your image was not uploaded.'; 
                echo '</pre>'; 
                 
              } else { 
             
                echo '<pre>'; 
                echo $target_path . ' succesfully uploaded!'; 
                echo '</pre>'; 
                 
            } 

        } 
?>

2、Medium File Upload Source

<?php 
    if (isset($_POST['Upload'])) { 

            $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; 
            $target_path = $target_path . basename($_FILES['uploaded']['name']); 
            $uploaded_name = $_FILES['uploaded']['name']; 
            $uploaded_type = $_FILES['uploaded']['type']; 
            $uploaded_size = $_FILES['uploaded']['size']; 

            if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){ 


                if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { 
                 
                    echo '<pre>'; 
                    echo 'Your image was not uploaded.'; 
                    echo '</pre>'; 
                     
                  } else { 
                 
                    echo '<pre>'; 
                    echo $target_path . ' succesfully uploaded!'; 
                    echo '</pre>'; 
                     
                    } 
            } 
            else{ 
                echo '<pre>Your image was not uploaded.</pre>'; 
            } 
        } 
?>

3、High File Upload Source

<?php 
if (isset($_POST['Upload'])) { 

            $target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/"; 
            $target_path = $target_path . basename($_FILES['uploaded']['name']); 
            $uploaded_name = $_FILES['uploaded']['name']; 
            $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); 
            $uploaded_size = $_FILES['uploaded']['size']; 

            if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){ 


                if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) { 
                     
                    echo '<pre>'; 
                    echo 'Your image was not uploaded.'; 
                    echo '</pre>'; 
                 
                  } else { 
                 
                    echo '<pre>'; 
                    echo $target_path . ' succesfully uploaded!'; 
                    echo '</pre>'; 
                     
                    } 
            } 
             
            else{ 
                 
                echo '<pre>'; 
                echo 'Your image was not uploaded.'; 
                echo '</pre>'; 

            } 
        } 

?>

比较发现:

Low级别代码对上传文件几乎没有任何处理,可上传任意格式、大小文件

Medium级别代码对上传文件进行了格式判断,需要是 image/jpeg格式,并且文件限制了大小,不能太大,可以有效防止直接上传大马。此种方法可以通过修改包来绕过

High级别代码通过代码分析出文件的后缀名,当后缀名是jpg、JPG、jpeg、JPEG,并且文件大小小于100000时才可以上传,当上传的格式是Jpg,jPg,JPeg等大小写混写时,也上传失败,这是一种基于白名单的过滤策略,效果不错。

 

您可能还喜欢...