15 files of the DVWA series contain exploits 01/14 Update SLTechnology News&Howtos

15 files of the DVWA series contain exploits

2025-01-14 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Now that you understand the principle of file inclusion, let's go to DVWA and select low-level file inclusion. Prompted on the page, you can edit the page parameter in URL to include the specified file, which is the include.php file by default.

We create a test file test.txt in the D:\ AppServ\ www\ dvwa\ vulnerabilities\ fi directory with the content of "File Inclusion testing!", which can be viewed directly through the file inclusion vulnerability.

If you want to see the contents of the D:\ AppServ\ www\ 03.txt file, you can type "? page=../03.txt", ".. /" to represent the parent directory, so as long as you know the path of a file, you can view the contents of the file through the file containing vulnerabilities.

Reading sensitive files is one of the main ways to exploit file inclusion vulnerabilities. For example, if the server uses Linux system and the user has the corresponding rights, then you can take advantage of file inclusion vulnerabilities to read the contents of / etc/passwd files.

The common paths of sensitive information in the system are as follows:

(1) Windows system

(2) Linux system

Another major way to exploit file containing vulnerabilities is to cooperate with file uploads. For example, most websites provide file upload function, but generally only allow uploading image files such as jpg or gif. By cooperating with file inclusion vulnerabilities, you can generate a sentence * web page file in the site.

For example, write the following code in notepad and save it as a jpg file.

Upload the file to the DVWA directory, and the file path is D:\ AppServ\ www\ dvwa\ 1.jpg. Then the code in the jpg file can be executed through the file inclusion vulnerability, and the shell.php file can be generated in the D:\ AppServ\ www\ dvwa\ vulnerabilities\ fi directory, and the file content is exactly one sentence.

In addition, the file contains vulnerabilities that can also be used to bypass the WAF firewall. For example, after uploading WebShell to a website, it may be checked and killed by security tools such as security dogs. At this time, you can save WebShell as an image file, and then execute it through the file inclusion function.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.