DVWA简介
DVWA(Damn Vulnerable Web Application)是一个用来进行安全脆弱性鉴定的PHP/MySQL Web应用,旨在为安全专业人员测试自己的专业技能和工具提供合法的环境,帮助web开发者更好的理解web应用安全防范的过程。
DVWA共有十个模块,分别是
Brute Force(暴破)
Command Injection(命令注入)
CSRF(跨站伪造)
File Inclusion(文件包含)
File Upload(上传)
Insecure CAPTCHA (不安全的验证码)
SQL Injection(SQL注入)
SQL Injection(Blind)(SQL盲注)
XSS(Reflected)(反射跨站)
XSS(Stored)(存储跨站)
需要注意的是,DVWA分为四种安全级别:Low,Medium,High,Impossible。初学者可以通过比较四种级别的代码,接触到一些php代码审计的内容。

命令注入

命令注入,即命令注入,是指通过提交恶意结构的参数破坏命令语句结构,从而实现执行恶意命令的目的。PHP命令注入攻击是PHP应用程序中常见的脚本漏洞之一,国内著名的Web应用程序Discuz!,DedeCMS等都曾经存在过该类型漏洞。

Low

服务器端核心代码

<?php if( isset( $_POST[ 'Submit' ]  ) ) {     // Get input     $target = $_REQUEST[ 'ip' ];     // Determine OS and execute the ping command.     if( stristr( php_uname( 's' ), 'Windows NT' ) ) {         // Windows         $cmd = shell_exec( 'ping  ' . $target );     }     else {         // *nix         $cmd = shell_exec( 'ping  -c 4 ' . $target );     }     // Feedback for the end user     echo "<pre>{$cmd}</pre>"; } ?> 

相关函数介绍 

stristr(string,search,before_search)

stristr函数搜索字符串在另一字符串中的第一次出现,返回字符串的剩余部分(从匹配点),如果未找到所搜索的字符串,则返回FALSE。参数string规定被搜索的字符串,参数search规定要搜索的字符串(如果该参数是数字,则搜索匹配该数字对应的ASCII值的字符),可选参数before_true为布尔型,默认为“false”,如果设置为“true”,函数将返回search参数第一次出现之前的字符串部分。

php_uname(mode)

这个函数会返回运行php的操作系统的相关描述,参数mode可取值”a” (此为默认,包含序列”s n r v m”里的所有模式),”s ”(返回操作系统名称),”n”(返回主机名),” r”(返回版本名称),”v”(返回版本信息), ”m”(返回机器类型)。

可以看到,服务器通过判断操作系统执行不同ping命令,但是对ip参数并未做任何的过滤,导致了严重的命令注入漏洞。

漏洞利用

window和linux系统都可以用&&来执行多条命令

127.0.0.1&&net user

Linux下输入127.0.0.1&&cat /etc/shadow甚至可以读取shadow文件,可见危害之大。

Medium

服务器端核心代码

<?php if( isset( $_POST[ 'Submit' ]  ) ) {     // Get input     $target = $_REQUEST[ 'ip' ];     // Set blacklist     $substitutions = array(         '&&' => '',         ';'  => '',     );     // Remove any of the charactars in the array (blacklist).     $target = str_replace( array_keys( $substitutions ), $substitutions, $target );     // Determine OS and execute the ping command.     if( stristr( php_uname( 's' ), 'Windows NT' ) ) {         // Windows         $cmd = shell_exec( 'ping  ' . $target );     }     else {         // *nix         $cmd = shell_exec( 'ping  -c 4 ' . $target );     }     // Feedback for the end user     echo "<pre>{$cmd}</pre>"; } ?>

可以看到,相比Low级别的代码,服务器端对ip参数做了一定过滤,即把”&&” 、”;”删除,本质上采用的是黑名单机制,因此依旧存在安全问题。

漏洞利用

1、127.0.0.1&net user

因为被过滤的只有”&&”与” ;”,所以”&”不会受影响。

这里需要注意的是”&&”与” &”的区别:

Command 1&&Command 2

先执行Command 1,执行成功后执行Command 2,否则不执行Command 2

Command 1&Command 2

先执行Command 1,不管是否成功,都会执行Command 2

2、由于使用的是str_replace把”&&” 、”;”替换为空字符,因此可以采用以下方式绕过:

127.0.0.1&;&ipconfig

这是因为”127.0.0.1&;&ipconfig”中的” ;”会被替换为空字符,这样一来就变成了”127.0.0.1&& ipconfig” ,会成功执行。

High

服务器端核心代码

<?php if( isset( $_POST[ 'Submit' ]  ) ) {     // Get input     $target = trim($_REQUEST[ 'ip' ]);     // Set blacklist     $substitutions = array(         '&'  => '',         ';'  => '',         '|  ' => '',         '-'  => '',         '$'  => '',         '('  => '',         ')'  => '',         '`'  => '',         '||' => '',     );     // Remove any of the charactars in the array (blacklist).     $target = str_replace( array_keys( $substitutions ), $substitutions, $target );     // Determine OS and execute the ping command.     if( stristr( php_uname( 's' ), 'Windows NT' ) ) {         // Windows         $cmd = shell_exec( 'ping  ' . $target );     }     else {         // *nix         $cmd = shell_exec( 'ping  -c 4 ' . $target );     }     // Feedback for the end user     echo "<pre>{$cmd}</pre>"; } ?> 

相比Medium级别的代码,High级别的代码进一步完善了黑名单,但由于黑名单机制的局限性,我们依然可以绕过。

漏洞利用

黑名单看似过滤了所有的非法字符,但仔细观察到是把”| ”(注意这里|后有一个空格)替换为空字符,于是 ”|”成了“漏网之鱼”。

127.0.0.1|whoami

Command 1 | Command 2

“|”是管道符,表示将Command 1的输出作为Command 2的输入,并且只打印Command 2执行的结果。

Impossible

服务器端核心代码

<?php if( isset( $_POST[ 'Submit' ]  ) ) {     // Check Anti-CSRF token     checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );     // Get input     $target = $_REQUEST[ 'ip' ];     $target = stripslashes( $target );     // Split the IP into 4 octects     $octet = explode( ".", $target );     // Check IF each octet is an integer     if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {         // If all 4 octets are int's put the IP back together.         $target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];         // Determine OS and execute the ping command.         if( stristr( php_uname( 's' ), 'Windows NT' ) ) {             // Windows             $cmd = shell_exec( 'ping  ' . $target );         }         else {             // *nix             $cmd = shell_exec( 'ping  -c 4 ' . $target );         }         // Feedback for the end user         echo "<pre>{$cmd}</pre>";     }     else {         // Ops. Let the user name theres a mistake         echo '<pre>ERROR: You have entered an invalid IP.</pre>';     } } // Generate Anti-CSRF token generateSessionToken(); ?> 

相关函数介绍

stripslashes(string)

stripslashes函数会删除字符串string中的反斜杠,返回已剥离反斜杠的字符串。

explode(separator,string,limit)

把字符串打散为数组,返回字符串的数组。参数separator规定在哪里分割字符串,参数string是要分割的字符串,可选参数limit规定所返回的数组元素的数目。

is_numeric(string)

检测string是否为数字或数字字符串,如果是返回TRUE,否则返回FALSE。

Impossible加入了Anti-CSRF token,对参数ip进行了严格限制,只有诸如“数字.数字.数字.数字”的输入才会被执行,因此不存在命令注入漏洞。


天渊应龙圣神大帝-道锋潜鳞

天渊应龙圣神大帝-道锋潜鳞

一人自负一阴阳,混沌分开气升降。炼阴仙客解冲虚,凡骨尤能化百族。雷域龙神启太元,天清升仙出浩渊。

27 条评论

头像

Royal CBD · 2020年5月15日 下午12:45

It’s truly a great and helpful piece of information. I’m glad
that you simply shared this useful information with us.
Please stay us informed like this. Thanks for sharing.

头像

Treena Korfhage · 2020年7月30日 上午7:25

Excluding the Autonomous Republic of Crimea and City of Sevastopol, Ukraine’s administrative areas on the Crimean

头像

Truman Hoage · 2020年7月30日 下午2:48

A new report from the business-data company looking at the second quarter of venture capital results for global AI startups shows historically strong but declining investing rates for the upstart firms. During a pandemic and widespread recession, this is not a complete surprise; other areas of VC investment have also fallen in recent quarters.

头像

Hortensia Stellato · 2020年8月1日 上午9:13

Thanks for this amzing blog, I sincerer agreed with everything you said, I will be viisting again .Once again thanks for an amazin blog

头像

Shawnee Alltop · 2020年8月2日 上午10:10

Wo what an amazin blog, every you said was correct. I will visit again,

头像

stimulus check status · 2020年8月2日 上午10:38

Wo what an amazin blog, every you said was correct. I will visit again,

头像

Lowell Lebleu · 2020年8月5日 上午7:32

Oh what an Awesome blog , I will surely visit again, keep on the good work.

头像

Accident · 2020年8月8日 上午2:55

Oh wow what an amazing writeup, this blog epresent everything i believed in and I will be be back to read more

头像

Kevin Baglione · 2020年8月8日 上午6:21

Schools need to ALL reopen along with ALL businesses. Get people back to work

头像

Tory Missler · 2020年8月9日 上午4:53

Oh wo an awesome and amazine blog, well organized and beutiful, keep the good work going. I will surely visit again

头像

Micah Reola · 2020年8月10日 下午12:06

Nice blog keep up the good work and will be coming back to read more

头像

Johnetta Judy · 2020年8月11日 上午11:35

What can this tool do? What are my options?

头像

hydroxychloroquine how to buy online without a perhacker1ion · 2020年8月12日 上午8:52

What i don’t realize is in fact how you’re now not
really a lot more neatly-preferred than you might be now.
You’re so intelligent. You already know therefore considerably when it comes to this subject, produced me personally consider it from a
lot of various angles. Its like men and women don’t seem to be involved except it
is something to accomplish with Lady gaga! Your own stuffs nice.
All the time handle it up!

头像

Shawn Trailor · 2020年8月12日 下午8:22

All Seattle Law Enforcement are in my thoughts and prayers as well as the good law abiding people of Seattle. You have no clue the danger and stress heaped upon Law Enforcement Officers unless you’ve walked in those shoes! I did for 34 years. Ladies and Gentleman you’ve served your communities well under extraordinary circumstances, but it’s time to think of your families, your wives and children and yourselves! It’s time to leave Seattle, fund a job elsewhere where you will be appreciated! You have my utmost respect! Let the City Counsel and Mayor have the chaos they desire but not at your personal safety and lives! God Bless You All my Brothers!

头像

Josef Guity · 2020年8月12日 下午11:17

We have no information at the moment on of caused death . This post will be updated as soon as we have that information.

头像

Caue of Death · 2020年10月9日 上午7:47

I constantly spent my half an hour to read this blog’s articles everyday along with a
mug of coffee.

头像

Death and state funeral of Lee Kuan Yew · 2020年10月28日 上午12:02

Hey there! Would you mind if I share your blog with my zynga group?
There’s a lot of people that I think would really enjoy your content.
Please let me know. Cheers

头像

death note light · 2020年11月18日 上午8:55

Thanks for sharing your thoughts about 道锋潜鳞. Regards

头像

obituary melbourne · 2020年11月20日 下午1:58

Howdy! Do you know if they make any plugins to help with SEO?
I’m trying to get my blog to rank for some targeted keywords but I’m not
seeing very good gains. If you know of any please share.

Thank you!

头像

Claudio Fernandez · 2020年11月29日 上午8:45

Your style is so unique compared to other people I have read stuff
from. Many thanks for posting when you’ve got the opportunity,
Guess I’ll just bookmark this site.

头像

Marta Goldstein Death – Obituary : NCIS New Orleans Marta Goldstein Cause of Death Unknown. · 2020年11月29日 上午8:50

Good day! I could have sworn I’ve been to this site before but after browsing through a few of the articles I realized it’s new to me.
Regardless, I’m definitely pleased I found it and I’ll be bookmarking it and
checking back frequently!

头像

romania cc · 2020年12月2日 上午5:39

After I initially left a comment I seem to have clicked on the -Notify me when new
comments are added- checkbox and from now on each time a comment is added
I recieve four emails with the same comment.

There has to be a way you are able to remove me from that service?
Thanks!

头像

Gina Haspel Found Dead · 2020年12月2日 上午7:00

Excellent beat ! I would like to apprentice while you amend your site, how can i subscribe for a blog website?

The account aided me a acceptable deal. I had been tiny bit acquainted of this your broadcast offered bright
clear idea

头像

Paid Will Death · 2020年12月2日 上午8:32

Nice weblog right here! Additionally your web site so much up fast!

What host are you the usage of? Can I get your affiliate link in your host?
I wish my website loaded up as fast as yours lol

头像

Brandy Vaughan Cause of Death · 2020年12月9日 下午1:42

Every weekend i used to pay a quick visit this
web site, because i want enjoyment, since this this website conations
really nice funny stuff too.

头像

Brandy Vaughan Killed · 2020年12月9日 下午2:46

obviously like your web-site however you have to take a look at the spelling on several of your posts.
Many of them are rife with spelling issues and I to find it very bothersome to tell the reality then again I will definitely come again again.

头像

free v bucks generator · 2021年1月1日 上午4:55

Hello there, I found your blog via Google
while searching for a similar matter, your web site got here
up, it looks good. I have bookmarked it in my google bookmarks.

Hi there, just turned into alert to your blog via Google, and located that it’s really informative.
I am gonna watch out for brussels. I will be grateful for those who proceed this in future.
A lot of other folks will likely be benefited from your writing.
Cheers!

发表评论

邮箱地址不会被公开。 必填项已用*标注