Article directory
Preface
Common cybersecurity interview questions
topic
1. Command execution principles, common functions, hazards, and protection
Principle:
Applications sometimes need to call some functions that execute commands. Since the server does not filter the entry of special executable functions in the code, and when users can control the parameters in these functions, malicious commands can be spliced into normal commands. This results in a command execution attack.
Command execution vulnerabilities can be divided into two categories: remote command execution (code execution) and system command execution.
Common dangerous functions are also divided into two categories: code execution functions and command execution functions.
Pipe character usage:
windows:
&前面的语句为假则直接执行后面的
&&前面的语句为假则直接出错,后面的也不执行
|直接执行后面的语句
||前面出错执行后面的
Linux:
;前面的执行完执行后面的
| 管道符,上一条命令的输出,作为下一条命令的输入
||当前面的执行出错时执行后面的
& 无论前边语句真假都会执行
&& 只有前边语句为真,才会执行后边语句
Exploitation conditions:
➢Function input that can be controlled by the user
➢There is a dangerous function that can execute code or system commands
Hazards:
➢Inherit the permissions of the web service program to execute system commands or read and write files
➢Rebound shell
➢Control the entire website or even the server
➢Further intranet penetration
Common functions:
Remote command (php code) execution vulnerability----php code execution
eval(), assert()
<?php
eval($_GET['pass']) //eval(),assert() 把字符串当代码执行
?>
<?php
assert($_GET['pass']);
?>
preg_replace()
call_user_func()
call_user_func_array()
$a($b)
You can also use remote command execution:
➢?a=print( FILE ); //Get the current absolute path
__LINE__ 文件中的当前行号
__FILE__ 文件的完整路径和文件名。如果用在被包含文件中,则返回被包含的文件名
__DIR__ 文件所在的目录。如果用在被包括文件中,则返回被包括的文件所在的目录
➢?a=var_dump(file_get_contents('c:\windows\system32\drivers\etc\hosts')); //读取文件
➢?a=var_dump(file_put_contents($_POST[1],$_POST[2]));
POST写入
1=shell.php&2=<?php phpinfo()?> //写个shell插进去--可以写入一句话木马进去
System command execution vulnerability----Execution of system commands.
The functions that allow the execution of system commands are:
➢system()
➢exec()
➢shell_exec()
➢passthru()
➢popen()
➢反引号
System commands execute other exploits:
➢?a=type C:\windows\system32\drivers\etc\hosts //查看文件
➢?a=cd chdir //查看当前绝对路径
➢?a=echo "<?php phpinfo();?>" > E:\xampp\htdocs\php\os\phpinfo.php
写shell(phpinfo.php)插进去 --- 内容<?Php phpinfo() ?> 可以换成 一句话木马,要先查看当前路径
Protection:
(1) Try not to execute external commands
(2) Use custom functions or function libraries to replace the functions of external commands
(3) Use the escapeshellarg function to process command parameters. The escapeshellarg function will convert any characters that cause the parameter or command to end. Definition, replace the single quotation mark "'" with "'", replace the double quotation mark """ with """, and replace the semicolon ";" with ";" (4) Use safe_mode_exec_dir to specify the
home directory of the program to be executed (php.ini ), you can put the commands you will use in this path in advance safe_mode=On (turn on the safe mode of php)
safe_mode_exec_dir= /usr/local/php/bin/
2. Principle and utilization of middleware vulnerabilities
IIS
1.IIS 6.0
1.后缀解析 /xx.asp;.jpg。服务器默认不解析 ; 号及其后面的内容,相当于截断。
2.目录解析 /xx.asp/xx.jpg (xx.asp目录下任意解析)
3.默认解析 xx.asa xx.cer xx.cdx
4.RCE CVE-2017-7269
2.IIS 7.0-7.5
1.在Fast-CGI开启状态下,在文件路径后加上 /xx.php ,即 xx.jpg/xx.php 会被解析为php文件
3.PUT vulnerability
1.开启WebDAV
2.拥有来宾用户,且来宾用户拥有上传权限
3.可任意文件上传
4. Guess the file name
1.IIS 8.0之前的版本支持短文件名猜测的HTTP方法主要包括:DEBUG、OPTIONS、GET、POST、HEAD、TRACE六种,需要安装ASP.NET。
而IIS 8.0之后的版本只能通过OPTIONS和TRACE方法猜测成功,但是没有ASP.NET的限制。
2.文件夹名前6位字符带点”.”,扫描程序会认为是文件而不是文件夹,最终出现误报
3.不支持中文文件名
Apache
1. Suffix resolution
test.php.x1.x2.x3 ( x1,x2,x3 为没有在 mime.types 文件中定义的文件类型)
Apache 将从右往左开始判断后缀,若x3为非可识别后缀,则判断x2,直到找到可识别后缀为止,然后对可识别后缀进行解析
2.htaccess
当AllowOverride被启用时,上传启用解析规则的.htaccess,覆盖apache主配置文件
3. Directory traversal
配置 Options +Indexes 时Apache存在目录遍历漏洞。
4.CVE-2017-15715
%0A 绕过上传黑名单
Nginx
1.Fast-CGI off
在Fast-CGI关闭的情况下, Nginx 仍然存在解析漏洞: 在文件路径(xx.jpg)后面加上 %00.php , 即 xx.jpg%00.php 会被当做 php 文件来解析
2.Fast-CGI is turned on
在Fast-CGI开启状态下,在文件路径后加上 /xx.php ,则 xx.jpg/xx.php 会被解析为php文件
3.CVE-2013-4547
a.jpg\x20\x00.php
4. Configuration error
a.目录穿越
如果配置中存在类似 location /foo {
alias /bar/; } 的配置时,/foo../ 会被解析为 /bar/../ 从而导致目录穿越的发生。
b.目录遍历
配置中 autoindex on 开启时,Nginx中存在目录遍历漏洞。
Tomcat
1.CVE-2017-12615
1.PUT方法上传任意文件
2.但限制了jsp后缀的上传,绕过办法:
a.Windows下不允许文件以空格结尾,以PUT /a001.jsp%20 HTTP/1.1上传到 Windows会被自动去掉末尾空格
b.Windows NTFS流Put/a001.jsp::$DATA HTTP/1.1
c. /在文件名中是非法的,也会被去除(Linux/Windows)Put/a001.jsp/http:/1.1
2.CVE-2020-1938
CVE-2020-1938为Tomcat AJP文件包含漏洞
3. Weak password & war remote deployment
在tomcat8环境下默认进入后台的密码为tomcat/tomcat,未修改造成未授权即可进入后台
4.CVE-2019-0232
1.CVE-2019-0232为Apache Tomcat RCE
v.manager App暴力破解
后台密码用base64编码传输,抓包解密即可得到后台密码,也可以进行爆破
Weblogic
i.CVE-2017-10271 反序列化漏洞
ii.CVE-2018-2628 反序列化命令执行漏洞
iii.CVE-2018-2894 Weblogic 任意文件上传漏洞
iv.CVE-2020-14882 Weblogic 管理控制台未授权远程命令执行漏洞
v.SSRF Weblogic SSRF漏洞
vi.弱口令
Summarize
This issue mainly introduces command execution and middleware vulnerabilities.