Command Injection
interface
Source code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
?>
Code analysis
Get the input ip by clicking submit, and determine the type of the machine that is currently submitting the ip. If it is windows, use: ping ip to ping; if it is other models, use: ping -c 4 ip to ping
Infiltration step
Step 1: Analyze the code, you can see that the code does not make a legal judgment on the ip entered by the user, and directly performs a ping operation. By using ip&& other commands, you can make the computer output other results except ping and access sensitive data.
Step 2: Input 127.0.0.1 normally and ping your own computer
Step 3: View the current folder of the server by constructing 127.0.0.1 && dir
Analyze the constructive sentences that may be used
The first one: ip && other commands
is to execute other commands after the ping ip operation. The
second one: ip & other commands
execute the first command, regardless of success or failure, execute the other commands behind the
third one: (ip)| Other commands
ip can be omitted, the result of one is used as the input of the second, and only the result of the second command is printed
Possible commands
Use dir instead of the ls command under linux,
use type instead of the cat command under linux
Problems encountered
DVWA garbled
solution: change all utf-8 in the dvwaPage.inc.php file under the WWW\DVWA\dvwa\includes folder to GBK