[Network Security] DVWA's Command Injection attack posture and problem-solving detailed analysis collection
Command Injection
Command Injection is a security vulnerability that occurs when an application uses user-supplied input as part of a system command without adequate validation and filtering.
When the application is constructing system commands, if the user input is not properly validated and filtered, an attacker can execute arbitrary system commands by inserting malicious commands into the user input. This could lead an attacker to perform unauthorized actions on the system, such as executing malicious code, accessing sensitive data, modifying system configuration, etc.
The following are common operators on the command line, which are used to control the execution order and logic of commands.
-
;: The semicolon operator is used to execute multiple commands sequentially in one line of command. Regardless of whether the previous command was executed successfully or not, the subsequent commands will continue to be executed.
A;B //A不论正确与否都会执行B -
&: Add after the command&, you can execute the command in the background and continue to execute the following commands at the same time.
A&B //A后台运行,A和B同时执行 -
&&: The AND operator indicates that the following command will be executed only if the previous command is successfully executed (return 0). If the previous command fails (returns a non-zero value), subsequent commands will not be executed.
A&&B //A执行成功后才会执行B -
|: The pipeline operator takes the output of the previous command as the input parameter of the next command. The execution result of the previous command will be passed to the latter command for processing.
A|B //A执行的输出结果作为B命令的参数,A不论正确与否,都会执行B -
||The :or operator indicates that the following command will be executed only if the previous command fails to execute (returns a non-zero value). If the previous command executes successfully (returns 0), subsequent commands will not be executed.
A||B //A执行失败后才会执行B命令
Low level
source code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
?>
code audit
This code is a simple PHP script that executes a ping command and returns the results to the user.
In the code, it starts by $_POST['Submit']checking whether a request for a form submit button called Submit has been received. If the request is received, the subsequent code will continue to execute.
Then, $_REQUEST['ip']get the value of the input field named ip from , which should be an IP address or domain name, indicating the target to perform the ping command.
Next, use php_uname('s')the function to determine the operating system type. If it contains the string 'Windows NT', it means the Windows system; otherwise, it means the *nix system.
If it is a Windows system, use shell_exec()the function to execute the ping command and assign the result to the variable $cmd. If it is a *nix system, execute the ping command with the '-c 4' parameter (indicating sending 4 ICMP echo requests), and assign the result to the variable cmd as well.
Finally, use echothe statement to <pre>output the result to the user in the form of a label, keeping the formatted display as it is.
posture
Since the program does not filter the input parameters, the client can directly splice specific commands to execute and obtain the desired information.
Payload:127.0.0.1&&ipconfig
127.0.0.1 is a special IP address that stands for the local host or the local loopback address. When you use 127.0.0.1 in the command, you are actually trying to communicate with your local machine.
而ipconfig是Windows操作系统上的命令,用于显示当前网络配置信息,包括IP地址、子网掩码、默认网关等。
Therefore, 127.0.0.1 && ipconfig means to try to communicate with the local computer first, and then execute the ipconfig command to display network configuration information.
The echo is as follows:
Successful command injection.
Medium level
source code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Set blacklist
$substitutions = array(
'&&' => '',
';' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
code audit
The Medium level uses someblacklistReplacement to prevent command injection vulnerabilities.
The code logic is as follows:
- Check to see if a form submit button named "Submit" is clicked.
- Get the IP address entered by the user and store it in
$targetthe variable . - Set an array of blacklists
$substitutions, including replacement characters that need to be replaced, such as'&&' => ''and';' => ''. - Use
str_replace()the function to replace the characters in the blacklist array with an empty string to remove possible command injection characters. - Determine the executed ping command by judging the operating system type. If it is a Windows system, use
shell_exec()the function to executepingthe command, otherwise useshell_exec()to execute the command-c 4with the parameter .ping - Store the result of command execution in
$cmda variable . - Use
<pre>the tag to format the output to the user.
posture
Since the blacklist only filters &∧
Therefore, the following operators can be used for command injection
127.0.0.1 & ipconfig
127.0.0.1 | ipconfig
111 || ipconfig 注意该操作符的执行条件:111执行失败才会执行ipconfig
The echo is as follows:
High level
source code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
// Remove any of the characters in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
?>
code audit
This code filters user input more strictly than the previous code.
The code logic is as follows:
- Check to see if a form submit button named "Submit" is clicked.
- Obtain the IP address entered by the user, use
trim()the function to remove the leading and trailing spaces, and store it in$targetthe variable. - Set a blacklist array
$substitutions, the purpose is to remove special characters in user input.
&Replace with an empty string: This is to prevent command injection&&using .;Replace with an empty string: This is to prevent command injection;using .|Replace with an empty string: This is to prevent command injection|using .-Replace with an empty string: This is to prevent command-injection .$Replace with an empty string: This is to prevent command injection$using .(Replace with an empty string: This is to prevent command injection(with .)Replace with an empty string: This is to prevent command)injection .- `Replace with empty string: This is to prevent command injection using backticks.
||Replace with an empty string: This is to prevent command injection||using .
- Use
str_replace()the function to replace the characters in the blacklist array with an empty string to prevent the injection of any special characters. - Determine the executed ping command by judging the operating system type. If it is a Windows system, use
shell_exec()the function to executepingthe command, otherwise useshell_exec()to execute the command-c 4with the parameter .ping - Store the result of command execution in
$cmda variable . - Use
<pre>the tag to format the output to the user.
posture
'| ' => ''
Obviously, the blacklist is only filtered |及后面的空格, so |it can be bypassed by just using:
Impossible level
source code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$target = $_REQUEST[ 'ip' ];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode( ".", $target );
// Check IF each octet is an integer
if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{
$cmd}</pre>";
}
else {
// Ops. Let the user name theres a mistake
echo '<pre>ERROR: You have entered an invalid IP.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
code audit
The code flow is as follows:
- Check to see if a form submit button named "Submit" is clicked.
- The validity of the anti-CSRF token is checked by
checkToken()the function to ensure that the origin of the request is legitimate. - Get the IP address entered by the user, and use
stripslashes()the function to remove possible backslash escapes. - Use
explode()the function to divide the IP address into 4 fields according to ".", and store the fields in$octetthe array. - Check that each field is numeric and that the IP address contains 4 fields.
- If the above conditions are met, the IP address will be reassembled and stored in
$targetthe variable . - Determine the executed ping command by judging the operating system type. If it is a Windows system, use
shell_exec()the function to executepingthe command, otherwise-c 4usepingthe command with the parameter. - Store the result of command execution in
$cmda variable . - Use
<pre>the tag to format the output to the user.
Additionally, the code includes the following functions:
generateSessionToken()Function used to generate anti-CSRF tokens to increase application security.- If the input IP address is invalid (not a 4-digit field), an error message will be output to the user.
Summarize
The above is a collection of [Network Security] DVWA's Command Injection attack posture and detailed analysis of problem solving , investigating 命令注入, 命令操作符, PHP代码审计and other knowledge points.
I am Qiu said , see you next time.