May062020
DVWA-4.1 File Inclusion(文件包含)-Low
File Inclusion
File Inclusion,意思是文件包含(漏洞),是指当服务器开启allow_url_include选项时,就可以通过php的某些特性函数(include(),require()和include_once(),require_once())利用url去动态包含文件,此时如果没有对文件来源进行严格审查,就会导致任意文件读取或者任意命令执行。文件包含漏洞分为本地文件包含漏洞与远程文件包含漏洞,远程文件包含漏洞是因为开启了php...阅读全文
抢沙发
May062020
DVWA-3.4 CSRF(跨站请求伪造)-Impossible
Impossible Level
查看源码
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$pass_curr = $_GET[ 'password_current' ];
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Sanitise curren...阅读全文
May062020
DVWA-3.3 CSRF(跨站请求伪造)-High-绕过token
High Level
查看源码
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
...阅读全文
May062020
DVWA-3.2 CSRF(跨站请求伪造)-Medium-绕过Referer验证
Medium Level
查看源码
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Checks to see where the request came from
if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
...阅读全文
May062020
DVWA-3.1 CSRF(跨站请求伪造)-Low
Low Level
查看源码
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?---校验新密码和确认密码是否相同
if( $pass_new == $pass_conf ) {
// They do!---若相同,先使用mysqli_real_escape_string函数转义用户输入的新密码中的特殊字...阅读全文
May062020
DVWA-2.4 Command Injection(命令注入)-Impossible-安全的白名单
Impossible Level
查看源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$target = $_REQUEST[ 'ip' ];
$target = stripslashes( $target ); //stripslashes()删除反斜杠
// Split the IP into 4 octects
$octet = e...阅读全文
May062020
DVWA-2.3 Command Injection(命令注入)-High-绕过强的黑名单
High Level
查看源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',...阅读全文
May062020
DVWA-2.2 Command Injection(命令注入)-Medium-绕过弱的黑名单
Medium Level
查看源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Set blacklist----黑名单:删掉&&和;
$substitutions = array(
'&&' => '',
';' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys(...阅读全文
May062020
DVWA-2.1 Command Injection(命令注入)-Low
Low Level
查看源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4...阅读全文
May062020
DVWA-1.4 Brute Force(暴力破解)-Impossible
Impossible Level
查看源码
<?php
if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
// Check Anti-CSRF token---校验token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Sanitise username input----过滤、转义用户输入的username
$user = $_POST[ ...阅读全文