Overview of the RCE vulnerability
allows an attacker to remotely inject operating system commands or code directly into the backend server, thereby controlling the backend system.
Remote system command execution
Command execution vulnerability (Command Execution) means that hackers can directly execute system commands in web applications to obtain sensitive information or gain shell privileges
The more common command execution vulnerabilities occur in various web components, including web containers, web frameworks, CMS software, security components, etc.
Reasons for the vulnerability:
1. Because the developer wrote the source code and did not filter the entry of executable special functions (controllable variables) in the code, the client could submit malicious construction statements and have them executed by the server.
对用户的输入命令安全检测不足,直接参与到操作系统的交互当中
应用调用执行系统命令的函数
将用户输入作为系统命令的参数拼接到了命令行中
2. In command injection attacks, the WEB server does not filter functions such as system (), eval (), exec (), etc. This is the main reason for the success of this vulnerability attack.
Applications sometimes need to call some functions that execute system commands, such as system, exec, shell_exec, passthru, popen, proc_popen, etc. in PHP. When users can control the parameters of these functions, they can splice malicious system commands into normal commands. thus causing command execution attacks
Common functions that can be called from external programs in PHP:
eval()
assert()
preg_replace() + /e 模式
create_function()
array_map()
call_user_func()/call_user_func_array()
array_filter()
usort(),uasort()
file_put_contents()
fputs()
$_GET[‘a’]($_GET[‘b’]);//a=assert&b=phpinfo()
Generally, the user is provided with a web interface for ping operation. The user enters the target IP from the web interface. After submission, the background will perform a ping test on the IP address and return the test results.
However, if the designer does not implement strict security controls when completing this function, it may cause an attacker to submit "unexpected" commands through this interface, allowing the background to execute, thereby controlling the entire background server.
1.exec "ping"
Backend code:
Remote command execution ping:
$result.=shell_exec('ping '.$ip);//Splicing the variables in directly without processing
Just splice the command after the ping command. Use cmd as an example.
After the ping command is executed, the dir command will be executed to perform a splicing. If the general website does not filter, you can try various pipe characters, such as; & && | ||, etc.
2.exec "eval"
eval, a classic one-sentence Trojan function
Backend code:
Remote code execution evel:
if(@!eval($_POST['txt']))
It can be seen that no processing is done. The difference from the above (remote command execution ping) is that this is PHP code, while the above (remote command execution ping) executes the command line.
There is no filtering of the incoming parameters, directly execute the content and write a phpinfo(); take a look
See the code being executed