1. File reading vulnerability
-
Enter usafe Filedownload
-
Change the address of down_nba.php to:
execdownload.php?filename=…/…/…/inc/config.inc.php
to download the database configuration file
The downloaded results are as follows:
2. Remote files contain vulnerabilities
-
Enter the level and find that the description says that only image files can be uploaded
-
Let's try first, directly change the suffix of the Trojan php file to PNG format and upload it
-
Found that the website recognized that this is a fake picture
-
Let’s try to write the Trojan horse into the image file this time. First, prepare two files, one is the info.php Trojan file, and the other is the ordinary 123.png image file
-
Use the cmd command line to enter the following commands
4. A picture file 456.png carrying the Trojan horse code is generated
-
We uploaded the modified file and found that the upload was successful and echoed the save path.
Insert image description here -
We checked the file and found that the website did not check and modify the content of the file
-
Now we use this Trojan,
first enter the file inclusion (remote) and choose one to submit
-
Then modify the field value after filename= in the address to the address of the Trojan file we uploaded. http://192.168.242.1/pikachu-master/vul/unsafeupload/uploads/456.png
Press Enter and find that the Trojan horse is executed successfully
3. Local files contain vulnerabilities
- The general process is the same as above, but the path uses the local path, select the local level
The address is changed to, here pay attention to the relative path of the file directory
http://192.168.242.1/pikachu-master/vul/fileinclude/fi_local.php?filename=…/…/…/…/pikachu-master/vul/unsafeupload/uploads /456.png&submit=%E6%8F%90%E4%BA%A4
4. Horizontal overreach
- Enter the level beyond the level of authority and find that you are required to log in
2. Click the prompt in the upper right corner, and you will find that he has given three user information
- Log in to view information for three users, each of which is different
4. After experiments and observations, we found that the information of whose name is displayed in the username field of the address will be returned.
This is because the parameters passed in when looking up user information are directly obtained from the url, and the current user is not verified. This is called horizontal overreach
5. Defensive measures:
Add conditional judgment to the source code to judge whether the username passed in by the url matches the current user, if it matches, assign a value to $username, and if it does not match, do not assign a value
As a result, the defense level has been overridden successfully
5. Vertical overreach
-
Enter the vertical overreach checkpoint
-
Click the prompt to find that there are two users in this level, admin and pikachu
-
Log in to two accounts and find that the user permissions of the two are different
pikachu only has the permission to view, while admin has the permission to add, delete, check and modify.
4. We log in to the admin account to add information, and use the packet capture tool to intercept the capture
-
We intercepted the post request and found that there were admin cookies and the data we uploaded
-
Let's remove the cookie to see if it can be added successfully
We found that the addition was not successful
7. Now we switch to the pikachu account to log in and intercept the request to capture the packet and get the pikachu user's cookie and put it in the previous packet, and then click send
8. It can be seen that the user has been successfully added, indicating that there is vertical overreach