DVWA靶机
LOW
<?php phpinfo() ?>
![](https://upload-images.jianshu.io/upload_images/4664072-eec2e8c89c444cfc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
上传文件
![](https://upload-images.jianshu.io/upload_images/4664072-a20cab62a73500e2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d69fdfe263b09651.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-7ecbb1fd2426492c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Medium级别
![](https://upload-images.jianshu.io/upload_images/4664072-db27ae06e0866484.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
修改Content-Type: application/octet-stream的值为jpg的格式为Content-Type: image/jpeg
![](https://upload-images.jianshu.io/upload_images/4664072-fc980e9bf1b6a38a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
访问文件http://localhost/DVWA-master/hackable/uploads/1.php
![](https://upload-images.jianshu.io/upload_images/4664072-a42d702aa5aed702.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
high级别
图片马
由于后台验证了像素,所以要有图片,我们把php文件和图片文件合成一个文件
在cmd中进行 /b表示二进制 /a表示ascii码
先进入桌面
cd Desktop
copy 1.jpg /b + 1.php /a 2.jpg
![](https://img2020.cnblogs.com/blog/2018505/202005/2018505-20200513122003301-496751535.png)
![](https://upload-images.jianshu.io/upload_images/4664072-81d204e2ec808642.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
解码文件 .htaccess
我们先写文件
<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>
文件我们要保存成.htaccess,没有文件名,我们bp改包
抓包修改1.txt为.htaccess
![](https://upload-images.jianshu.io/upload_images/4664072-c2f8988b71f0c23e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-9f92724c92bdc25a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d6588189afa8d07f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
现在访问文件http://localhost/DVWA-master/hackable/uploads/2.jpg
![](https://upload-images.jianshu.io/upload_images/4664072-d2b90398a89ca85b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
upload-labs靶机
第一关
查看源码
![](https://upload-images.jianshu.io/upload_images/4664072-00d11a9b6dff2467.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
是前端绕过,我们可以禁用js
在浏览器里打开about:config
把红色的选项改为false
![](https://upload-images.jianshu.io/upload_images/4664072-d23d81e8562c4a10.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e16ac41ab3f451b4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
访问文件http://localhost/upload-labs-master/upload//1.php
![](https://upload-images.jianshu.io/upload_images/4664072-bc70275e5eac9df7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第二关
只对文件的MIME进行的验证,改包
把application/octet-stream改为image/jpeg
![](https://upload-images.jianshu.io/upload_images/4664072-643df4461cf3992d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e0845b073466b056.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第三关
更改文件名绕过
php相同的有php1 php2 php3 php4 php5 phtml pht
![](https://upload-images.jianshu.io/upload_images/4664072-49f6f1cc9535a06a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第四关
把1.php的后缀改为jpg绕过,在上传解码文件.htaccess
![](https://upload-images.jianshu.io/upload_images/4664072-0b4e3c6f191bd6d9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>
上传.htaccess
![](https://upload-images.jianshu.io/upload_images/4664072-d0864a83eac9fc49.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第五关
文件后缀大小写绕过
![](https://upload-images.jianshu.io/upload_images/4664072-c470319ba22ebb14.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第六关
文件后缀加空格绕过
![](https://upload-images.jianshu.io/upload_images/4664072-d434614e48bd45bf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第七关
文件后缀加[.]绕过
![](https://upload-images.jianshu.io/upload_images/4664072-1cbd915401fd72ef.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第八关
文件后缀加::$DATA绕过
访问时不加::$DATA
![](https://upload-images.jianshu.io/upload_images/4664072-60810e6695364571.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第九关
由于后台代码是先删除两端的空格,然后删除末尾的点,还有一些其他的,最后在删除两端的空格。我们可以写[. .](点 空格 点),代码是先删两端的空格,这里,没有删掉,然后删末尾的点,删掉了,剩点和空格,最后删除两端的空格,就剩点了,绕过了
![](https://upload-images.jianshu.io/upload_images/4664072-72af1032a52114d8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第十关
双写
![](https://upload-images.jianshu.io/upload_images/4664072-65fe2a50e116e406.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第十一关
00截断
一般用在文件被上传到一个目录下面,我们在目录下面写上文件名1.php,然后在用00截断,上传的文件名我们用白名单能上传的格式(jpg),由于用了00截断,其实保存在目录下的文件名是1.php,而不是jpg
源文件
![](https://upload-images.jianshu.io/upload_images/4664072-b800ec9b7f14f687.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
修改后
![](https://upload-images.jianshu.io/upload_images/4664072-bced6f6b28d1d083.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
进行%00的url解码
![](https://upload-images.jianshu.io/upload_images/4664072-024494a3e80e2f23.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第十二关
00截断
源文件
![](https://upload-images.jianshu.io/upload_images/4664072-da8092428803b09c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第十三关
图片马(jpg)
第十四关
图片马(png)
第十五关
图片马(png)
第十六关
二次渲染 传个gif的动态图