The application sometimes needs to call some functions that execute commands. Since the server does not filter the executable special function entries in the code, and when the user can control the parameters in these functions, malicious commands can be spliced into normal commands, resulting in command to execute the attack.
Command execution vulnerabilities can be divided into two types: remote command execution (code execution) and system command execution. Common dangerous functions are also divided into two types: code execution functions and command execution functions.
PHP中常见代码执行函数:
array_map()
eval()
assert()
preg_replace()
call_user_func()
$a($b)动态函数
PHP中常见系统命令执行函数:
system()
exec()
shell_exec()
passthru()
popen()
反引号"`"1. The relevant functions that allow system commands to be executed are:
1、system()
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/system.php
2. Splice "?a=ipconfig" after the URL, visit http://ip/os/system.php?a=ipconfig, and execute the code
3. Splice "?a=whoami" after the URL, visit http://ip/os/system.php?a=whoami, and execute the code
2、exec()
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/exec.php
2. Splice "?a=ipconfig" after the URL, visit http://ip/os/exec.php?a=ipconfig, and execute the code
3. Splice "?a=whoami" after the URL, visit http://ip/os/exec.php?a=whoami, and execute the code
3、shell_exec()
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/shell_exec.php
2. Splice "?a=ipconfig" after the URL, visit http://ip/os/shell_exec.php?a=ipconfig, and execute the code
3. Splice "?a=whoami" after the URL, visit http://ip/os/shell_exec.php?a=whoami, and execute the code
4、passthru()
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/passthru.php
2. Splice "?a=ipconfig" after the URL, visit http://ip/os/passthru.php?a=ipconfig, and execute the code
3. Splice "?a=whoami" after the URL, visit http://ip/os/passthru.php?a=whoami, and execute the code
5. popen(): Write the result of command execution to a file
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/popen.php
2. Splice the parameter value of a after the URL, such as "?a=1", visit http://ip/os/popen.php?a=1, execute the code without any error
3. Visit http://ip/os/1.txt to view the newly created execution result file
6. Backticks
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/fdyh.php
2. Splice the parameter value of a after the URL, such as "?a=1", visit http://ip/os/fdyh.php?a=1, execute the code, and output the desired result
6. Execution of operating system commands by exploiting system command execution vulnerabilities
principle:
Using the system command execution vulnerability can execute some operating system commands to obtain important information.
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/system.php
2. Splice "?a=cd" after the URL, visit http://ip/os/system.php?a=cd, execute the code, and view the absolute path of the current file
3. Add "?a=dir" after the URL, visit http://ip/os/system.php?a=dir, execute the code, and view all files in the current directory
4. Splice "?a=net user" after the URL, visit http://ip/os/system.php?a=net user, execute the code, and view all users
5. Splice "?a=type c:\windows\system32\drivers\etc\hosts" after the URL, visit http://ip/os/system.php?a=type c:\windows\system32\drivers\ etc\hosts, execute code, view hosts file
This article is written here first