File Upload

File Upload

文件上传漏洞 对上传文件的类型、内容没有严格过滤、检查,攻击者可以通过上传木马获取服务器的webshell权限

漏洞限制条件:1.能够成功上传文件; 2.上传文件能被执行; 3.上传文件的路径可知

【low】

服务器代码:

<?php
if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
        // No
        echo '<pre>Your image was not uploaded.</pre>';
    }
    else {
        // Yes!
        echo "<pre>{$target_path} succesfully uploaded!</pre>";
    }
}
?>

验证是否接收文件**( $_POST[ 'Upload' ] ) **

target_path 就是目标路径

http://127.0.0.1/dvwa/vulnerabilities/upload/hackable/uploads/

basename (path,suffix) 返回路径中的文件名部分

写一个木马上传上去

![image-20210428193152706](File Upload/image-20210428193152706.png)

木马上传的路径为:

http://127.0.0.1/dvwa/hackable/uploads/low.php

蚁剑安装

获取webshell权限

【medium】

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>

多了

// File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

限制了文件类型 jpeg 或者png 以及 文件大小必须100000字节

使用原来的木马文件会出现:![image-20210428205148899](File Upload/image-20210428205148899.png)

posted @ 2021-07-03 16:28  dem0n小姐姐  阅读(60)  评论(0)    收藏  举报