环境介绍
物理机:win10+wireshark
靶机:win7+phpstudy+DVWA
攻击手段
上传一个名为1.php
,内容为<?php @eval($_POST['777']) ?>
的文件
在上传之前,做wireshark抓包并过滤数据
编写规则
alert tcp any any -> any any (msg:"DVWA-upload漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/upload"; fast_pattern:only; content:"name=|22|uploaded|22|"; content:"filename="; distance:0; pcre:"/filename[\s=]+?\x22.+?\.(php|phtml|html|php3|php5|jsp|asp|htm|war|phl|htaccess)/iP"; metadata:service http; sid:5; rev:1;)
分析
在终端(powershell)中输入
snort -de -c C:\Snort\etc\snort.conf -l C:\Snort\log -r C:\dvwa抓包\file-upload.pcapng