Shulou(Shulou.com)06/01 Report--

Let's analyze the source code of the file containing vulnerabilities in DVWA.

First of all, the main page contained in the file is the D:\ AppServ\ www\ dvwa\ vulnerabilities\ fi\ index.php file, the main code part of the file:

In this code, we first use the switch statement to assign low.php, medium.php, and high.php to the variable $vulnerabilityFile according to the security level selected by the user, then use the require_once function to include the page selected by the user, and finally use the include function to include the variable $file.

The variable $file comes from low.php, medium.php, and high.php.

In low.php, the data sent by the user through the page parameter is obtained by GET and assigned to the variable $file. You can see that the page parameter is not filtered here.

In medium.php, the data sent by the user is replaced by the str_replace () function, mainly by replacing http:// and https:// with empty, mainly to prevent remote files from being included.

The files we used before contain local files on the target server, so they are called local files containing LFI, but they can also contain files on remote servers, such as http://127.0.0.1/dvwa/vulnerabilities/fi/?page=php://192.168.80.132/info.php, which is called remote file containing RFI. It is obvious that RFI is more powerful, but the prerequisite for implementing RFI is to ensure that the two parameters allow_url_fopen and allow_url_include in PHP are turned on, both of which are off by default, so RFI probably cannot be implemented. It is said that it can be bypassed by means of "zlib://" and "ogg://", but I have not found the relevant information or verified it yet, so let's put this question aside for the time being.

In summary, medium has no effect on LFI, so all file inclusion operations used previously can be performed.

Finally, take a look at high.php. If statement is used to determine whether the data entered by the user is inlude.php, and if not, an error is reported to exit directly, that is, only include.php files are allowed to be included. This is the most secure defense measure, of course, in practice, there may be multiple files to choose from, so you only need to make a few more judgments. With this design, there are no file containing vulnerabilities.

The file contains vulnerability mining in the same way as before, searching for functions such as include (), include_once (), require (), and require_once (), and observing whether the content contained in these functions can be controlled by the user, and whether defensive measures have been taken.

For example, in the following code, the include_once () function contains the variable $lang, which can be entered by the user without any processing, so there is a file inclusion vulnerability.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.