【DVWA】Command Injection
Command Injection means command injection. Applications sometimes call some functions that execute system commands. For example, in PHP, system commands can be executed using functions such as system, exec, shell_exec, passthru, popen, and proc_popen. When hackers can control the parameters in these functions , they can splice malicious system commands into normal commands to cause command execution attacks. This is a command injection vulnerability.
One, low level
1. Vulnerability testing
As shown in the figure, ipconfig is executed successfully. Of course, you can also view some sensitive files through cat under Linux, such as /etc/password or shadow files. Detailed documentation
Regarding the use of symbols:
windows given Linux :
"|": command1 | command2; directly execute the following command;
"||": command1 || command2; Only if the preceding is false (execution error) will the following command be executed. ping 2 || ipcongfig
"&": command1 & command2; will execute the following statement regardless of whether the preceding is true or false.
"&&": command1 && command2; The following statement will be executed only if the previous is true. Ping 127.0.0.1 && whoami
Another Linux :
";": command1; command2; After executing the previous statement, execute the following statement.
2. Source code analysis
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
//判断一下系统类别
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
?>
Detailed function:
php_uname('mode')
: Where mode is a single character
'a'
: This is the default. It contains a sequence"s n r v m"
in all modes.'s'
: Operating system name. ForFreeBSD
example: .'n'
:CPU name. Forlocalhost.example.com
example: .'r'
: Version name, for5.1.2-RELEASE
example: .'v'
:Version Information. There are big differences between operating systems.'m'
: Machine type. Fori386
example: .
shell_exec('cmd')
: Where cmd is the system command to be executed
stristr()
Function: Search for the first occurrence of a string in another string, and return that the string and the remainder are binary safe and case-insensitive. If you need to be case sensitive, you should use the strstr() function
2. Medium level
1. Vulnerability testing
Error entering 222.24.28.118 && hostname:
Enter 8 | hostname successfully executed:
2. Source code analysis
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Set blacklist
$substitutions = array(
'&&' => '',
';' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
//将传入参数中的&&和;替换为空
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
?>
For example, the source code above uses a blacklist filtering mechanism, replacing the && and; in the parameters passed in by the user with empty to try to prevent command injection, but other symbols such as |, ||, & can be used.
You can also use the patchwork method :222.24.28.118 &;& ipconfig
Three, high level
1. Vulnerability testing
Enter 222.24.28.118 || ipconfig
successfully executed:
Input 222.24.28.118 |whoami
successfully executed:
2. Source code analysis
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]); //trim函数去除开头和结尾的空格,以及换行符\n,Tab键\t等
// Set blacklist
$substitutions = array( //采用黑名单过滤机制
'&' => '',
';' => '',
'| ' => '', //过滤了| ,但注意|后有一个空格,可以直接绕过
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
?>
Compared with the medium level, the high level improves the blacklist mechanism, but a closer look reveals that it filters | plus spaces, so you can bypass it directly by typing |.
And 222.24.28.118 || ipconfig
it can also be bypassed, because the filtering mechanism is filtered according to the order in the array, first filtering | spaces, and then the rest 222.24.28.118 |ipconfig
can be executed successfully.
Four, impossible level
Source code analysis
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$target = $_REQUEST[ 'ip' ];
$target = stripslashes( $target ); //删除所有反斜杠
// Split the IP into 4 octects
$octet = explode( ".", $target ); //把字符串打散为数组,这里是把ip用点区分为四个数组元素
// Check IF each octet is an integer //检查每个元素是否是一个数字,并且该数组有4个元素
if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];
//将ip重新拼接为点分十进制的形式
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
else {
// Ops. Let the user name theres a mistake
echo '<pre>ERROR: You have entered an invalid IP.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
It can be seen from the above code that he first divides the incoming string with'.' and breaks it into an array, and judges whether each element in the array is a number, and whether the array has a total of 4 elements. Strictly imposed format restrictions, it is more difficult to bypass.
V. Vulnerability repair suggestions
1. Not used
Try not to use commands to execute functions.
For the PHP language, it is best not to use dangerous functions that cannot be fully controlled.
2. If you have to use it, you must filter before the parameters are passed in.
The variables submitted by the client terminal must be filtered and tested before entering the execution command function.
Before using dynamic functions, make sure that the function used is one of the specified functions.