Principle of Command Injection Vulnerability
In fact, the command injection vulnerability is also called the command line injection vulnerability. This vulnerability refers to the function that calls the system executable command in the web application, and the input parameters are controllable. If the hacker splices the injection command, it can perform illegal operations .
Target machine construction
Link: https://pan.baidu.com/s/1W8kgkYPrHchakwy9kU6g7A
Extraction code: 9mm5
Vulnerability recurrence
- Use netdiscover to discover surviving hosts
netdiscover -i eth0
- Use nmap to perform service detection on the target
nmap -sV 192.168.101.46
- Found that it only opened the Apache service on port 80
- Use dirb for directory mining of websites
dirb http://192.168.101.46
- Found such sensitive directory information
- Possible user password information was found in the nothing directory in the robots.txt file
- Log in to the nothing directory and view source code information
- Enter the secure website and find a compressed package, download and unzip
- The decompression process requires a password, so use the passwords above to try one by one
- The decompressed file is a file with the suffix mp3. Use the file command to determine the file type and find it is a text file
- Use the cat command decisively to view the content inside
- Found a user touhid and another directory, the password is unknown
- Log in to the above directory and find that it is the backend of a website, which is built using playSMS
- Use touhid username and diana password to log in successfully
- Because this is a framework, you can search for ready-made EXP scripts on the Internet to exploit vulnerabilities. Here we use the searchsploit command that comes with kali to view
searchsploit playSMS
- Check the information of the vulnerability module, please read carefully other people's vulnerability exploitation overview
cat /usr/share/exploitdb/exploits/php/webapps/42003.txt
The principle of exploiting this vulnerability is: the user uploads the backdoor.php file to the server, the server will not execute the content in the php, because the server only reads the file name, but just change backdoor.php to <?php system ('uname -a');dia();?>.php, the server will execute the code of the file name, which is actually a code execution vulnerability.
7. Log in to the URL of the vulnerability verification
- First create a csv file and use burpsuite to capture the package
- Replace the value of the variable filename in bp.
After the content of filename is changed, the page displays the echo information of the command.
This is a www-data username