File Contains - DVWA Exercises
I. Introduction
First of all, we need to know roughly what the file contains, what loopholes may arise, and how to exploit these loopholes.
See related articles for explanations about
file inclusion . Environment: win10+phpstudy
2.DVWA file contains
Preparations: thephp. iniin the fileallow_url_includeas well asallow_url_fopenAll are set to On, otherwise the next exercises cannot be performed
1.low level
We set the level to low level, enter the url, and http://localhost/DVWA/vulnerabilities/view_source.php?id=fi&security=low
we can see the source code of the low level. As you can
see, there is no security filter
$file=$_GET['page]
DVWA has given three files, which are file1, 2, and 3.
When we click on them , you can see that the url is as http://localhost/DVWA/vulnerabilities/fi/?page=file1.php
mentioned earlier, the low level has no security filtering, which means that we canpage=
Put various file locations behind to read
(If you read a file that does not exist or a file with a wrong path, the following will happen)
Let's read a file with the correct path (I read phpinfo)
http://localhost/DVWA/vulnerabilities/fi/?page=D:\phpstudy_pro\WWW\php.txt
So, what's the point of this: It means that if the other party does not perform security filtering on file inclusion, then the attacker can take the opportunity to learn some information that is not within their own authority (DVWA website only wants us to read
file1,2 ,3, do not allow users to read other files, but because the files contain no security filtering, we can read the files in the c drive and each drive)
2.medium level
We set the level to the medium level, enter the url, and http://localhost/DVWA/vulnerabilities/view_source.php?id=fi&security=medium
we can see the source code of the medium level
. Obviously, the medium level is very simple to filter
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\\" ), "", $file );
This code means to replace all "http://", "https://", "…/", "…\" with empty characters,
but this replacement is still not safe, because str_replace can only be replaced once
Enter http://localhost/DVWA/vulnerabilities/fi/?page=http://localhost/php.txt
to display the wrong
url input http://localhost/DVWA/vulnerabilities/fi/?page=hthttp://tp://localhost//php.txt
to bypass it.
3.high level
We set the level to high level, and http://localhost/DVWA/vulnerabilities/view_source.php?id=fi&security=high
we can see the source code of high level by entering url
if( !fnmatch( "file*", $file ) && $file != "include.php" )
. This means to ensure that the path after page= must start with file or include.php.
We can use the file protocol to bypass
url input http://localhost/DVWA/vulnerabilities/fi/page=file://D:\phpstudy_pro\WWW\php.txt
and still succeed . up
4. Impossible level
We set the level to the impossible level, enter the url, and http://localhost/DVWA/vulnerabilities/view_source.php?id=fi&security=impossible
we can see the source code of the impossible level
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" )
. The whitelist is set and cannot be bypassed.
So far, we are done practicing