安全 | Last Regrets

File Upload

DVWA File upload 过关秘籍. LOW if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // Can we move the file to the upload folder? // 完全没做过滤. // 上传一个PHP文件也是可以的. if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } Medium if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; // Is it an image? // // 开始做了一些过滤 // 下面是官方对$_FILES 函数的描述 // [name] => MyFile.txt (comes from the browser, so treat as tainted) // [type] => text/plain (not sure where it gets this from - assume the browser, so treat as tainted) // [tmp_name] => /tmp/php/php1h4j1o (could be anywhere on your system, depending on your config settings, but the user has no control, so this isn't tainted) // [error] => UPLOAD_ERR_OK (= 0) // [size] => 123 (the size in bytes) // 其中对name和type的description的描述都是 `treat as tainted`(被污染的) // 这意味着它有可能会被修改 unsafe // 我们可以尝试上传一个PHP文件，使用一些拦截请求工具，修改即将发出的请求. // 来达到修改`name`中的后缀名和`type`中的媒体类型. if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) { // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } High if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; // jpg $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); // file size $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; // tmp_name 是临时副本的名字 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Is it an image? // 和上面的比起来多个一个文件后缀名的判断. // strtolower 转小写 // 扩展名只要满足jpeg,png或者jpg就行 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && // getimagesize 获取图像信息 // 这个函数保证你穿的一定得是个图像 // 可以用图片木马绕过 getimagesize( $uploaded_tmp ) ) { // Can we move the file to the upload folder? if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } High if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Is it an image? // 对比上面多验证了文件的后缀名 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && // 函数会通过读取文件头，返回图片的长、宽等信息，如果没有相关的图片文件头，函数会报错 getimagesize( $uploaded_tmp ) ) { // 可以看到，High级别的代码读取文件名中最后一个”.”后的字符串，期望通过文件名来限制文件类型 // 因此要求上传文件名形式必须是”*.jpg”、”*.jpeg” 、”*.png”之一 // 同时，getimagesize函数更是限制了上传文件的文件头必须为图像类型 // Can we move the file to the upload folder? if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } Impossible if( isset( $_POST[ 'Upload' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/'; //$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-'; // MD5 加密 $target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; $temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) ); $temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; // Is it an image? if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) && ( $uploaded_size < 100000 ) && ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) && getimagesize( $uploaded_tmp ) ) { // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD) if( $uploaded_type == 'image/jpeg' ) { $img = imagecreatefromjpeg( $uploaded_tmp ); imagejpeg( $img, $temp_file, 100); } else { $img = imagecreatefrompng( $uploaded_tmp ); imagepng( $img, $temp_file, 9); } imagedestroy( $img ); // Can we move the file to the web root from the temp folder? if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) { // Yes! echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>"; } else { // No echo '<pre>Your image was not uploaded.</pre>'; } // Delete any temp files if( file_exists( $temp_file ) ) unlink( $temp_file ); } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } // Generate Anti-CSRF token generateSessionToken(); Extension 00%截断 ...

SQL Injection

DVWA SQL Injection 过关秘籍. LOW if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input $id = $_REQUEST[ 'id' ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; // 并没有做什么注入防护 // 尝试构造： // select first_name, last_name from from users where user_id = '1' and 1=1; // select first_name, last_name from from users where user_id = '1' and 1=2; // select first_name, last_name from from users where user_id = '1' or 1=1; $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' ); // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); // Feedback for end user echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; // Increase loop count $i++; } mysql_close(); } Medium if( isset( $_POST[ 'Submit' ] ) ) { // Get input // 换成了Post 这也太普通了 // 使用一些网络请求工具照样改，比如BurpSuite，PostMan，curl. $id = $_POST[ 'id' ]; $id = mysql_real_escape_string( $id ); // mysql_real_escape_string 可以对以下字符进行转义 // \x00, \n, \r, \, ', " 和 \x1a. // 值得注意的是 mysql_real_escape_string 函数所在的MYSQL扩展在 // PHP 5.5.0 起已废弃，并在自 PHP 7.0.0 开始被移除。 // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; // 尝试构造: // SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1; $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' ); // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Display values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); // Feedback for end user echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; // Increase loop count $i++; } //mysql_close(); } High if( isset( $_SESSION [ 'id' ] ) ) { // Get input $id = $_SESSION[ 'id' ]; // Check database // 看起来做了返回条目限制 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; // 没什么套路 // SELECT first_name, last_name FROM users WHERE user_id = '1' or 1=1 # ' LIMIT 1; $result = mysql_query( $query ) or die( '<pre>Something went wrong.</pre>' ); // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); // Feedback for end user echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; // Increase loop count $i++; } mysql_close(); } impossible if( isset( $_GET[ 'Submit' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $id = $_GET[ 'id' ]; // Was a number entered? if(is_numeric( $id )) { // Check the database // 这是！PDO! // PDO 是一种PHP中比较先进的面向对象形式的数据库访问技术 // 不过即使是面向对象它还是事务脚本形式的。 // 提供了防SQL注入的功能。 $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); // 无法注入 $data->bindParam( ':id', $id, PDO::PARAM_INT ); $data->execute(); $row = $data->fetch(); // Make sure only 1 result is returned if( $data->rowCount() == 1 ) { // Get values $first = $row[ 'first_name' ]; $last = $row[ 'last_name' ]; // Feedback for end user echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; } } } // Generate Anti-CSRF tsoken generateSessionToken(); Extension 二次注入: ...

Sql Injection Blind

返回的结果集无法看到，只能通过一些页面显示或状态来判断。像瞎子一样。 DVWA SQL Injection blind 过关秘籍. Low if(isset( $_GET[ 'Submit' ])) { // Get input $id = $_GET[ 'id' ]; // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; // 没有一点点防备 // 尝试构造: (由于看不到结果集，所以脱裤子的语句是无效) // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,2 # '; // User ID exists in the database. <存在注入漏洞> // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length( database())=4,sleep(4),2) # '; $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysql_numrows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } mysql_close(); } MIEDUM if( isset( $_POST[ 'Submit' ] ) ) { // Get input $id = $_POST[ 'id' ]; $id = mysql_real_escape_string( $id ); // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; // 尝试构造: // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,2; // 以上判断存在注入漏洞 // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,if(length(database()) > 4, sleep(3), 2) $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysql_numrows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } //mysql_close(); } High if( isset( $_SESSION['id'])){ // Get input $id = $_SESSION[ 'id' ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; // 没有新花样，只限制输出条目是无法拦住我们的 // 尝试构造: // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length(database()) = 4, sleep(3), 2) # LIMIT 1; $result = mysql_query( $query ) or die( '<pre>Something went wrong.</pre>' ); // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); // Feedback for end user echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; // Increase loop count $i++; } mysql_close(); } High if( isset( $_GET[ 'Submit' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $id = $_GET[ 'id' ]; // Was a number entered? if(is_numeric( $id )) { // Check the database // PDO 无法注入 $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); $data->bindParam( ':id', $id, PDO::PARAM_INT ); $data->execute(); // Get results if( $data->rowCount() == 1 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } } } // Generate Anti-CSRF token generateSessionToken();