//Low:
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
$html .= ' ';
$html .= 'Your image was not uploaded.';
$html .= ' ';
} else {
$html .= ' ';
$html .= $target_path . ' succesfully uploaded!';
$html .= ' ';
}
}
?>
//突破方式:无任何过滤 直接上传php后缀shell
//medium
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
$html .= ' ';
$html .= 'Your image was not uploaded.';
$html .= ' ';
} else {
$html .= ' ';
$html .= $target_path . ' succesfully uploaded!';
$html .= ' ';
}
}
else{
echo 'Your image was not uploaded.';
}
}
?>
//突破方式:没验证后缀,仅仅验证文件头,抓包将Content-Type: application/octet-stream 文件头
修改为 Content-Type: image/gif 成功上传shell
//high
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
$html .= ' ';
$html .= 'Your image was not uploaded.';
$html .= ' ';
} else {
$html .= ' ';
$html .= $target_path . ' succesfully uploaded!';
$html .= ' ';
}
}
else{
$html .= ' ';
$html .= 'Your image was not uploaded.';
$html .= ' ';
}
}
?>
//$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); //获取后缀
//由于$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); 获取后缀也会被 %00截断 所以只会判断%00后面的后缀 所以构造1.php jpg (%00) 获取到的后缀为php php版本问题?
//move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path) 该语句未对上传文件进行重命名 在iis 6.0可 构造x.php;.jpg 成功饶过并解析,apache下构造x.php.gif可突破
PHP basename() 函数
定义和用法
basename() 函数返回路径中的文件名部分。
语法
basename(path,suffix)
参数
描述 path
必需。规定要检查的路径。
suffix
可选。规定文件扩展名。如果文件有 suffix,则不会输出这个扩展名。
例子
<?php $path = "/testweb/home.php";//显示带有文件扩展名的文件名echo basename($path);//显示不带有文件扩展名的文件名echo basename($path,".php"); ?>
输出:
home.php home
PHP strrpos() 函数
定义和用法
strrpos() 函数查找字符串在另一个字符串中最后一次出现的位置。
如果成功,则返回位置,否则返回 false。
语法
strrpos(string,find,start)
参数 描述 string 必需。规定被搜索的字符串。 find 必需。规定要查找的字符。 start 可选。规定开始搜索的位置。
转自:http://www.claepo.com/2012/01/upload-attack-analysis/,部分内容有修改。