DVWA-File Upload - 北京网站建设

Low

后端代码没有对上传的文件做任何过滤，所以可以上传一句话木马。

<?phpif( isset( $_POST[ 'Upload' ] ) ) {// Where are we going to be writing to?$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );// Can we move the file to the upload folder?if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {// No$html .= '<pre>Your image was not uploaded.</pre>';}else {// Yes!$html .= "<pre>{$target_path} succesfully uploaded!</pre>";}
}?>

在PHP中，$_FILES 是一个全局数组，用于处理通过HTML表单上传的文件。每个上传的文件在 $_FILES 数组中都有自己的子数组，包含文件的各种信息。

$_FILES 各项属性的详细说明
$_FILES['uploaded']['name']:上传文件的原始名称。$_FILES['uploaded']['type']:上传文件的MIME类型（如 image/jpeg），由浏览器提供。$_FILES['uploaded']['tmp_name']:上传文件在服务器上的临时文件路径。$_FILES['uploaded']['error']:上传过程中可能发生的错误代码。
常见的错误代码：
UPLOAD_ERR_OK (0): 没有错误，文件上传成功。
UPLOAD_ERR_INI_SIZE (1): 上传文件超过了 php.ini 中 upload_max_filesize 选项限制的值。
UPLOAD_ERR_FORM_SIZE (2): 上传文件超过了HTML表单中 MAX_FILE_SIZE 选项指定的值。
UPLOAD_ERR_PARTIAL (3): 文件只有部分被上传。
UPLOAD_ERR_NO_FILE (4): 没有文件被上传。
UPLOAD_ERR_NO_TMP_DIR (6): 找不到临时文件夹。
UPLOAD_ERR_CANT_WRITE (7): 文件写入失败。
UPLOAD_ERR_EXTENSION (8): 文件上传被PHP扩展程序中断。$_FILES['uploaded']['size']:上传文件的大小，以字节为单位。

Medium

观察后端代码，对上传文件的MIME类型，大小进行了限制。

<?phpif( isset( $_POST[ 'Upload' ] ) ) {// Where are we going to be writing to?$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );// File information$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];// Is it an image?if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&( $uploaded_size < 100000 ) ) {// Can we move the file to the upload folder?if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {// No$html .= '<pre>Your image was not uploaded.</pre>';}else {// Yes!$html .= "<pre>{$target_path} succesfully uploaded!</pre>";}}else {// Invalid file$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';}
}?>

我们可以通过burp抓包之后，修改对应参数进行绕过
在这里插入图片描述

上传成功

High

观察后端代码，对上传文件的后缀，文件头进行了过滤。

<?phpif( isset( $_POST[ 'Upload' ] ) ) {// Where are we going to be writing to?$target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );// File information$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];// Is it an image?if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&( $uploaded_size < 100000 ) &&getimagesize( $uploaded_tmp ) ) {// Can we move the file to the upload folder?if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {// No$html .= '<pre>Your image was not uploaded.</pre>';}else {// Yes!$html .= "<pre>{$target_path} succesfully uploaded!</pre>";}}else {// Invalid file$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';}
}?>

文件头绕过记录两种方法
1.把shell.php和一张图片放在一起，执行copy命令，如图
在这里插入图片描述
2.用十六进制软件直接在文件开头加上文固定内容的文件头

之后直接上传

上传之后都结合文件包含漏洞High Level执行DVWA-File Inclusion（因为要将png后缀图片按php文件解析）

http://192.168.20.156/DVWA/vulnerabilities/fi/?page=file:///C:\phpstudy_pro\WWW\DVWA\hackable\uploads\shell.png

上传之后用蚁剑连接，直接连接是显示不成功，是因为没有cookie。
之后浏览网站，进入网站修改难度为high（因为DVWA默认难度为impossible难度没法绕过）并保存cookie。
在这里插入图片描述

Impossible

观察后端源码发现，对文件内容进行了严格地检查，对文件进行重命名，文件大小后缀都进行了限制，同时加入token。

<?phpif( isset( $_POST[ 'Upload' ] ) ) {// Check Anti-CSRF tokencheckToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );// File information$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];$uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];$uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];// Where are we going to be writing to?$target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';//$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';$target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;$temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );$temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;// Is it an image?if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&( $uploaded_size < 100000 ) &&( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&getimagesize( $uploaded_tmp ) ) {// Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)if( $uploaded_type == 'image/jpeg' ) {$img = imagecreatefromjpeg( $uploaded_tmp );imagejpeg( $img, $temp_file, 100);}else {$img = imagecreatefrompng( $uploaded_tmp );imagepng( $img, $temp_file, 9);}imagedestroy( $img );// Can we move the file to the web root from the temp folder?if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {// Yes!$html .= "<pre><a href='{$target_path}{$target_file}'>{$target_file}</a> succesfully uploaded!</pre>";}else {// No$html .= '<pre>Your image was not uploaded.</pre>';}// Delete any temp filesif( file_exists( $temp_file ) )unlink( $temp_file );}else {// Invalid file$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';}
}// Generate Anti-CSRF token
generateSessionToken();?>