RCE (remote command / code execute) an overview of
RCE vulnerability allows an attacker to inject operating system commands or code to control back office systems directly to the back-end server remotely.
Remote command execution system
generally appear this vulnerability because the application system design from the need to provide an interface specified remote command operations to the user
on our common such as routers, firewalls, intrusion detection and other equipment of the web management interface
generally give users web interface, a ping operation, user input target IP from the web interface, after the submission, the background will conduct a ping test the IP address, and returns the results. And, if the designer Upon completion of this function, do not do rigorous security controls , it could result in an attacker submits "unexpected" command through the interface, allowing the background to perform, to control the entire back-end server
Now many companies are beginning to implement the Party automated operation and maintenance, a large number of system operations will be operated by "automated operation and maintenance platform." On this platform, the remote system command execution vulnerabilities often occur.
Remote code execution
the same token, because the demand for design, background sometimes the user's input as part of the implementation of the code , thus causing a remote code execution vulnerability. Whether you use a function code execution, or the use of unsafe deserialization so on.
Therefore, if the operation class provides an interface to the API front end users, some of the content needs to interface input strict determination , such as strict whitelist policy would be a better method.
Windows system commands splicing
- "|": Pipe symbol, before the command standard output standard after the command input. For example: help | more
- "&" CommandA & commandB run the command A, B and then run the command
- "||" commandA || commandB run commands A, B and if that fails then run the command
- "&&" commandA && commandB run commands A, B if successful, run the command
Our experiments begin
exec "ping" the remote command module
We direct input: 127.0.0.1 & ipconfig. We found that there was garbled
We can perform the following steps
1. Press the "win + R", and enter into the registry regedit
2. Locate the HKEY_CURRENT_USER \ Console \% SystemRoot% _system32_cmd.exe, if the key already exists under the CodePage, put the value to decimal "65001", and click OK;
If not, under the (HKEY_CURRENT_USER \ Console \) to create a new DWORD (32-bit value) named "CodePage", the value is set to "65001." Then close the Registry Manager.
Refresh, enter 192.168.43.116 & ipconfig again
This indicates that the background does not do a rigorous process, we can first enter the destination ip command splicing, enter some commands
Source code can look (path below) using shell_exec () function, and the command ip directly spliced together to achieve a remote command execution
We are now beginning
exec "evel" remote code module
First enter a random value,
We then enter a php code phpinfo ();
result
You can look source (following path) information is entered without any treatment, and using the eval () function of this comparison danger, thereby performing code.
