table of Contents
Principle of command execution vulnerability: In the operating system, "&, |, ||" can all be used as command connectors. The user submits the execution command through the browser. Since the server does not filter the execution function, the user's input is taken as The parameters of the system command are spliced into the command line, and the command execution (injection) vulnerability is caused without filtering the user input.
LOW
Source code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
$html .= "<pre>{$cmd}</pre>";
}
?>It can be seen that the low-level code receives the ip entered by the user, and then performs different ping tests on the target ip according to whether the server is a Windows NT system. But there is no filtering of the ip entered by the user, so we can carry out the command execution vulnerability
Ping the ip of the real machine here
If there are garbled characters here , the solution: find all "charset=utf-8" in the dvwaPage.inc.php file in the DVWA-master\dvwa\includes directory, and modify "charset=gb2312".
Then try to enter, 192.168.43.52|ipconfig. In the operating system, "&, &&, |, ||" can all be used as command connectors. We will execute the ipconfig command to view the ip information after pinging.
As you can see, it was successfully executed. Then we can continue to execute our commands. Replace ipconfig with other system commands
Here we can try to add a system account df, here because there is no protection software, the direct addition is successful
192.168.43.52&net user df 123456qwer.. /add
medium
Looking at the source code, we can see that the filtering of && and; is added on the basis of low-level, we just don’t use && and;
The difference between &, && and & is used here, && is to execute the previous command and then execute the following command, & is to execute the latter regardless of whether the previous command is executed or not.
high
As you can see, the High-level code has been blacklisted, filtering out some common command connectors. The blacklist filtering seems to be safe, but if the blacklist is incomplete, it is easy to bypass. We carefully look at the | in the blacklist filter, and we find that there is a space after the'|', because we can bypass it as long as we enter | without a space after it
Impossible
Source code:
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$target = $_REQUEST[ 'ip' ];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode( ".", $target );
// Check IF each octet is an integer
if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{$cmd}</pre>";
}
else {
// Ops. Let the user name theres a mistake
echo '<pre>ERROR: You have entered an invalid IP.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?> stripslashes(string) : This function removes the backslashes in the string and returns the string with the backslashes stripped.
explode(separator,string,limit) : This function breaks the string into an array and returns an array of strings. The parameter separator specifies where to split the string, the parameter string is the string to be split, and the optional parameter limit specifies the number of array elements returned.
is_numeric(string) : This check whether the string is a number or a numeric string, if it is, it returns TRUE, otherwise it returns FALSE.
It can be seen that the Impossible-level code has added the Anti-CSRF token, and the parameter ip is strictly restricted. Only the input such as "number. number. number. number" will be accepted and executed, so there is no command injection vulnerability .
——Heart, if there is no place to live, it will be wandering everywhere