# 0328-Red-Team-DVWA-HW ## Jeff {%hackmd theme-dark %} ## 0x01 File Inclusion ### 漏洞解釋 > 根據DVWA自己的定義 >>Some web applications allow the user to specify input that is used directly into file streams or allows the user to upload files to the server. >>At a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing the potential for malicious file execution. ### 如何利用這個漏洞？ (1)透過**修改**URL中的變數而獲取原本不應該獲取的資訊 (2)更甚者，可以**加載**不屬於此網站的文件 * 透過修改URL中的變數而獲取原本不應該獲取的資訊<br>e.g. * 1. **看該伺服器有哪些使用者帳號：** * 一個正常的網址： ```http://172.20.10.2/dvwa/vulnerabilities/fi/?page=include.php``` * 攻擊者修改網址變數獲得更多資訊 ```http://172.20.10.2/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd``` * ../../../../../../etc/passwd 是攻擊者的Payload * 執行結果：  獲得使用者帳號 * 2. **看apache設定檔：** * ```http://172.20.10.2/dvwa/vulnerabilities/fi/?page=/etc/apache2/apache2.conf``` * /etc/apache2/apache2.conf 是攻擊者的Payload * 執行結果：  獲得apache設定檔 * 3. **看/etc/hosts：** * ```http://172.20.10.2/dvwa/vulnerabilities/fi/?page=../../../../../../etc/hosts``` * ../../../../../../etc/hosts 是攻擊者的Payload * 執行結果：  獲得/etc/hosts設定檔 ## 0x2 File Upload ### 漏洞解釋 > 根據DVWA自己的定義 >>Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. >>The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. >>Another thing worth looking for are restrictions within 'hidden' form fields. ### 如何利用這個漏洞？ (1)先**上傳**惡意程式(e.g.reverse shell) (2)接著**執行**它 * 上傳並執行惡意程式 * 上傳phpinfo.php： * 建構phpinfo.php Payload： ```=php <? echo "Hello World!!"; phpinfo(); ?> ``` * 上傳：  * 執行結果：  可以執行任意程式