Table of contents
1. Command Execution Vulnerabilities
1. The principle of command execution vulnerability
2. Classification of command execution vulnerabilities
3. Harm of command execution vulnerability
4. Preventive measures for command execution vulnerabilities
5. Bypassing command execution vulnerabilities
1. Command Execution Vulnerabilities
A command execution vulnerability means that an attacker can execute system commands at will. It is one of the high-risk vulnerabilities and also belongs to the category of code execution. Command execution vulnerabilities not only exist in the B/S architecture, but also often encountered in the C/S architecture.
Simply put, the user submits the execution command through the browser. Since the server does not filter the execution function, the command is executed without specifying the absolute path, which may allow the user to change $PATH or other parameters of the program execution environment. aspect to execute a maliciously crafted code.
1. The principle of command execution vulnerability
The command execution vulnerability means that the application sometimes needs to call some functions that execute system commands, such as: system(), exec(), shell_exec(), eval(), passthru(), the code does not filter the user-controllable parameters, when When users control the parameters in these functions, malicious system commands can be spliced into normal commands, resulting in command execution attacks
2. Classification of command execution vulnerabilities
Direct Command Injection Execution Vulnerability
The application directly uses functions that can execute dangerous system commands, such as the system and exec functions of php, and the operating parameters of these functions are controllable by the user. If the filtering is not strict, the command size will be increased. Probability of execution vulnerability. Command local contains execution vulnerabilities. (Note: Examples of (CGI) system command injection execution vulnerabilities, such as the Bash vulnerability, belong to this type of vulnerability. Users can directly change the value of the HTTP header user-agent to trigger command injection.)Command Include Execution Vulnerability
Command Local/Remote Include Vulnerability: This vulnerability will be triggered if the application directly includes or executes a user-controllable upload script file or remote file (URL reference file).Command deserialization execution vulnerability
Some dynamic scripting languages, such as php, support serialized transmission of instance objects, and then the server deserializes the instance object and executes the parsed instance constructor, destructor or _wakeup() function, if These functions take advantage of user-controllable parameters, which will trigger command/code injection execution vulnerabilities, the principle is the same as the previous direct injection.Command dynamic variable execution vulnerability
Some dynamic scripting languages, such as php, support dynamic definition of variables or functions, that is, variables, variable values or functions can be dynamically assembled through parameter names at runtime. If the code contains similar code, there will be a dynamic variable/function execution vulnerability
3. Harm of command execution vulnerability
1. Inherit the authority of the web service program to execute system commands or read and write files
2. Rebound shell
3. Control the entire website and even the server
4. Further intranet penetration
4. Preventive measures for command execution vulnerabilities
1. Try not to execute external commands
2. Use custom functions or function libraries to replace external function functions
3. Use the escapeshellarg function to process command parameters
4. Use safe_mode_exec_dir: Specify the executable file path, so that the commands used can be placed in this path in advance safe_mode_exec_dir = /usr/local/php/bin
5. Bypassing command execution vulnerabilities
- space filtering
- blacklist bypass
- wildcard bypass
- Restrained Execution Bypass
- encoding bypass
- Bypass length restrictions