DVWA靶场之File Upload(文件上传)通关
Low:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
上传漏洞是有限制的,第一能上传上去,第二上传上去的文件可以被执行,第三上传路径已知
低级别就直接传一句话木马
暴露出路径,蚁剑连就好
Medium:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
嗯,对上传文件的类型大小有限制,文件类型必须是jpeg或者png,大小不能超过100000B
把lcx.php改成lcx.png,上传用burp suite抓包,把filename改成lcx.php即可,再用蚁剑连
如果PHP版本低的话Magic_quote_gpc=off,可以试试 00截断
当然一般不会有
High:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
熟悉的strrpos(string,find,start)函数,找find在string中最后一次出现的位置,start为开始搜索位置
getimagesize函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE
大致是判断了文件类型是否为.jpg .jpeg .png之一,且类型必须是图片
老办法,copy做一图片马
做完上传,蚁剑连接拿shell
Impossible:
此级别下首先就把上传文件重命名了,还有上传后也不显示路径了
最新文章
- 盘点销售一体机 打印POS一体的设备。 打印,盘点,销售PDA(手持终端)+移动销售POS软件
- vs 调试的时候 使用IP地址,局域网的设备可以访问并调试
- Python函数参数学习笔记
- POJ1985Cow Marathon[树的直径]
- 【ELK Stack】ELK+KafKa开发集群环境搭建
- HDU 4927
- html图像入门
- V9 二次开发技术篇之 模型数据库
- 【java提高】---ArrayList源码
- Technical debt
- Python开发爬虫之静态网页抓取篇:爬取“豆瓣电影 Top 250”电影数据
- Python自学:第三章 使用方法sort( )对列表进行永久性排序
- npm、webpack、vue-cli 快速上手版
- 安装redis出现cc adlist.o /bin/sh:1:cc:not found的解决方法
- Robot Framework 教程 (5) - 连接Oracel数据库
- 亚马逊MWS开发套路演示
- go基础语法-内置变量类型
- ray tracing/shadow,reflection, caustic
- 【spark】示例:求Top值
- (二)centos7安装zabbix agentd端