Remote system command execution
Remote system command execution
generally has this kind of vulnerability because the application system needs to provide users with specified remote command operation interfaces. For example, the web management interfaces of our common routers, firewalls, intrusion detection devices, etc.
generally give users Provide a web interface for ping operation. The user enters the target IP from the web interface. After submission, the background will perform a ping test on the IP address and return the test result. And if the designer does not implement strict security control when completing this function, it may cause the attacker to submit "unexpected" commands through this interface, so that the back-end will execute, thereby controlling the entire back-end server
. Enterprises have begun to implement automated operation and maintenance, and a large number of system operations will be operated through the "automated operation and maintenance platform". On this kind of platform, there are often loopholes in the execution of remote system commands. If you don’t believe it, you can find the system of your operation and maintenance department to test it, and there will be unexpected "harvest" -_-
Command separator:
In the linux system:; can be replaced by | and ||
; before the execution is completed, the
| after the execution is a pipe symbol, which shows the execution result of the back
|| When the execution error occurs in the previous execution, the following is
available **%0A and \n ** Execute command on new line
In Windows system: Cannot be used; you can use &, &&, |, || instead of
&. If the previous statement is false, then the following
&& statement will be executed directly if the previous statement is false, then the error will be
directly executed , and the latter will not be executed | Directly execute the following Statement
||The previous error executes the back
Functions that need attention in remote system command execution:
assert,system,passthru,exec,pcntl_exec,shell_exec,popen,proc_open,`` (back quotes)
Defense:
1. Filter & and |
2. Safely configure PHP related parameters through a disable_functions = configuration in the Php configuration file. This prohibits certain PHP functions (assert, system, passthru, exec, pcntl_exec, shell_exec, popen, proc_open,` `) Waiting for the
server is to use this to prohibit the execution of php command function.
3. Make strict judgments on user input data.